While 7-Eleven is a U.S-based company, it operates a massive number of stores and ATMs in the land of the rising sun. 7-Eleven Japan launched a new ‘7pay’ app for making in-store payments on July 1st, and the company has already halted all payments after massive security flaws caused over $500,000 to be charged to unsuspecting customers.
As reported by ZDNet, the 7pay app functioned much like Walmart Pay and other non-NFC payment applications — customers would log into their accounts, show a barcode to a cashier at a 7-Eleven store, and the purchase would be charged to the buyer’s preferred payment method.
However, it was quickly discovered that the password reset function allowed emails to be sent to third-party addresses. Someone only needed to know a 7pay user’s email address, date of birth, and phone number to obtain full access to an account. Previous data breaches in Japan has made it fairly easy to find the required information, and the date of birth wasn’t even required in some cases — 7-Eleven automatically set it to January 1st, 2019 if the account owner didn’t put in their own birthday.
Hackers quickly took advantage of the massive security flaws to make over ¥55 million ($510,000) of illegal charges. 7-Eleven shut down the service on July 3rd, and the website for 7pay now has the following message (via Google Translate):
“We deeply apologize for any inconvenience caused to our customers. Currently, 7pay new registration and all charge services are suspended. [As for] future compensation, we will notify you as soon as the response policy is finalized.”
Many American stores have also had less-than-ideal security with their own payment apps. CurrentC, the infamous payment app briefly used by Walmart, CVS, Rite-Aid, and others instead of NFC, was hacked shortly after its pilot program began.