International Crime Ring Suspected in 7-Eleven App Breach (japantoday.com) 37
On Monday, 7-Eleven launched a smartphone payment service for its 20,000 stores in Japan. By Thursday $510,000 had been stolen from the people using it -- as many as 900 customers.
Long-time Slashdot reader shanen shared this follow-up article, which points out that it's also possible that email addresses and birth dates have been accessed from among the new app's 1.5 million registered users: Tsuyoshi Kobayashi, president of Seven Pay Co., told a press conference in Tokyo that the company will compensate users for the losses caused by fraudulent access and that it has already suspended accepting new users or allowing users of the service to add money to its smartphone application. The estimated amount of losses the company announced is as of 6 a.m. Thursday and the damage could expand...
The parent company said someone, who had accessed their accounts and used the registered numbers of their credit or debit cards, purchased items at its convenience stores. The items included packs of cigarettes, which can be easily converted into cash, it said, adding there was a case in which a huge quantity worth 100,000 yen [$921] was purchased all at once at one of its outlets...
According to Seven & i Holdings, some customers reported their losses on Tuesday and unauthorized access from China and other locations outside Japan was confirmed... Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer Wednesday in an attempt to buy electric cigarette cartridges worth around 200,000 yen [$1,843] at a 7-Eleven shop in Tokyo.
Nikkei Asian Review reports that one of the suspects "received instructions about gaining unauthorized access to 7pay accounts via WeChat, a popular Chinese messaging app. The Metropolitan Police Department suspects the involvement of an international criminal organization." (Japan Times reports that one man was asked to do "some shopping" after which they would receive "a reward".)
Nikkei Asian Review also notes that the Japanese government has been pushing to to have a least 40% of all payments be cashless by the mid-2020s -- including generous government tax incentives -- which one consumer finance writer says has "overheated" the market, while "the quality of services has declined in some cases."
Long-time Slashdot reader shanen shared this follow-up article, which points out that it's also possible that email addresses and birth dates have been accessed from among the new app's 1.5 million registered users: Tsuyoshi Kobayashi, president of Seven Pay Co., told a press conference in Tokyo that the company will compensate users for the losses caused by fraudulent access and that it has already suspended accepting new users or allowing users of the service to add money to its smartphone application. The estimated amount of losses the company announced is as of 6 a.m. Thursday and the damage could expand...
The parent company said someone, who had accessed their accounts and used the registered numbers of their credit or debit cards, purchased items at its convenience stores. The items included packs of cigarettes, which can be easily converted into cash, it said, adding there was a case in which a huge quantity worth 100,000 yen [$921] was purchased all at once at one of its outlets...
According to Seven & i Holdings, some customers reported their losses on Tuesday and unauthorized access from China and other locations outside Japan was confirmed... Police arrested two Chinese men on Thursday in connection with the problem, investigative sources said. They are suspected of illegally using the ID and password of a customer Wednesday in an attempt to buy electric cigarette cartridges worth around 200,000 yen [$1,843] at a 7-Eleven shop in Tokyo.
Nikkei Asian Review reports that one of the suspects "received instructions about gaining unauthorized access to 7pay accounts via WeChat, a popular Chinese messaging app. The Metropolitan Police Department suspects the involvement of an international criminal organization." (Japan Times reports that one man was asked to do "some shopping" after which they would receive "a reward".)
Nikkei Asian Review also notes that the Japanese government has been pushing to to have a least 40% of all payments be cashless by the mid-2020s -- including generous government tax incentives -- which one consumer finance writer says has "overheated" the market, while "the quality of services has declined in some cases."
Is it returning? (Score:2)
The return of the dupe monster?
Yes. (Score:2)
Re: (Score:3)
Today's article contains new information about who's behind the breach.
My guess is that insiders are involved. The breach happened a week after the release. That's suspiciously fast. An insider could have provided the source code for the app to the crooks, and/or may have told them about security holes that 7-11 management had decided could be fixed in the next release.
Re: (Score:2)
The breach happened a week after the release. That's suspiciously fast.
It's not fast, considering the badness of the vulnerability. When you attack a new app, what do you do? You look at what APIs it's calling, maybe fuzz them a bit, figure out what the security model looks like. With this app, you wouldn't even be done figuring out what the security model looks like before finding the vuln.
The only real question is, why were hackers looking at this as soon as it came out? That should be a warning, that if you are writing any kind of app that handles payments, malicious hac
Re: (Score:3)
Could be incompetence. Apparently there was another flaw that let you get infinite free rice balls. Every time you sign up for an account you get a coupon for a free rice ball, and all you need to sign up is an email address, and of course generating an infinite number of those is trivial.
Re: (Score:1)
In related news, dupes make a force comeback.
Re: (Score:2)
Meta-comments as the partial source (Score:2)
First of all I want to thank EditorDavid for doing a pretty good job of describing the story, though he didn't actually use any of my perspectives on the story. I guess I should add my version at the end of this comment, but he read the stuff and wrote it up well.
Second, it shows how bad TV news is. The earlier version of the story credited to msmash was much deeper and more useful than anything I saw on NHK, which is supposed to be doing relatively good journalism. They featured the story on at least two n
This is why Iâ(TM)ve ditched retailers that w (Score:2)
Thousands of people had their credit cards skimmed by the Walmart app as well. That story was buried (how much does it cost to have a story buried on the net?).
I've had my card skimmed 5 times in the past few years.
Apple Pay currently isn't skinnable and cannot be by design.
Fuck every company that wants my credit card info.
They're not getting it ever again.
Re: (Score:2)
I understand why these companies what you to use their own payment apps - they want to have access to as much of your information as possible, and they want to track you.
What I don't understand is why the companies which offer secure phone-based NFC payment solutions don't advertise more directly and forcefully to consumers, explaining the advantages. It's not like Apple or Samsung are exactly digging through the couch looking for change to pay for their next ad campaign. I know most people aren't tech nerd
Re: (Score:2)
Won't take Apple Pay? Fuck you then (Score:2)
Thousands of people had their credit cards skimmed by the Walmart app as well. That story was buried (how much does it cost to have a story buried on the net?).
I've had my card skimmed 5 times in the past few years.
Apple Pay currently isn't skinnable and cannot be by design.
Fuck every company that wants my credit card info.
They're not getting it ever again.
Re: (Score:2)
Re: (Score:2)
Trusting anything financial to a phone (Score:2)
is sketchy at best.
Linking it directly to your checking account is opening the door to disaster. (something I'll never do)
This is what Debit/Credit cards are for, let them take the risk thats what they are getting paid for.
E-Fraud (Score:2)
'smart devices' (Score:1)