What's new

7-Eleven Japanese customers lose 55m yen due to mobile app flaw

thomas

Unswerving cyclist
Admin
14 Mar 2002
15,969
9,208
749
The level of incompetence and negligence displayed in launching the 7pay app is simply unbelievable. Chinese hackers had been compromising it from the first day of operation, stealing a total of 55m JPY! Accounts were hijacked, as third parties were able to have a new password generated and sent to an email account of their choice! There was no two-factor authentication (2fa) in place.


However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner. A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link to be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve. Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier, according to a report in Yahoo Japan. With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack.

 
My distrust of all sorts of entities, whether commercial or government, goes way back to long before all this Net world and related tech stuff became such a common sort of life for all sorts of people around the world, BUT it is obvious that certain issues have to be faced when you are going to use the Net to make money and to gather information from/about people.

And this gathering of information is happening in ways many folks don't even realize. Please excuse me admin/owner folks here at JREF, but even this site gathers information and has to be careful about keeping it safe.

I have responsibilities on the Net under the same umbrella.

I got into trouble at the ISOC many years ago because I was advocating more government watching of those that are allowed to collect information about people. I'm not even sure I want to use the modifier that is so common -- "personal" -- because I don't care what the information is, if you are trusted by someone to collect it, then guard it as best you can. And "as best you can" is a key phrase in that idea.

Okay, so it does appear that 'Seven and I Holdings' didn't do things correctly. In fact, I have a good friend who owns a 7-Eleven store and I wonder what he is going to tell me when I ask if he was aware that things weren't so cool in that area where the company seems to have been rather dumb, to be polite.

But the reason I am posting here is because of the following, that can be a sort of example of what the government folks here ought to be giving serious consideration to copying:

 
Back
Top Bottom