Approximately 900 customers of 7-Eleven Japan reportedly lost over USD 500,000 last week after hackers exploited a security flaw in the new mobile payment application, 7Pay.
What went wrong?
According to a statement released on the company’s website, third parties were able to access the accounts of 7Pay users, which resulted in customers losing over USD 500,000 collectively.
The barcode payment service enabled consumers to automatically charge their purchases to a debit or credit card. On July 2, the company received a complaint from a user regarding an unauthorized transaction. After an initial investigation confirmed illegal activity, the convenience store discontinued the card payment feature of the 7Pay app.
The company mentioned that it will reimburse the damage to customers and will thoroughly investigate the issue. However, data of approximately 900 people has already been compromised in the course of last week. According to media reports, the vulnerability allowed hackers to reset and change 7Pay passwords if they could guess the name and date of birth of the user.
Missing in action: Vulnerability assessment
This spotlights an obvious question that why was it so easy for hackers to exploit the security flaw? Laurie Mercer, Sales Engineer, EMEA, HackerOne, says, "This vulnerability allows anyone with my name and date of birth to reset my password to a password of their choice, and compromise my account. This sort of vulnerability can be easily detected by a human tester. It is therefore surprising that this vulnerability was not detected earlier.”
A simple application penetration test performed by a security expert would have found this issue, opines Amit Sethi, Senior Principal Consultant at Synopsys. “While penetration tests on their own are not sufficient for building secure applications, they are essential for ensuring that trivially exploitable flaws like this are discovered before launch.”
Attackers that compromised user accounts now have access to the users’ e-mail addresses, phone numbers and potentially birthdates, he adds.
This data breach allows attackers to view users’ previous transactions and exploit the information in the future for other cyber-attacks, such as phishing.
Currently, 7-Eleven Japan has stopped new registrations of 7Pay and has promised to plan improvement measures for a drastic solution, according to the company’s statement.