On September 30, Seven & I Holdings Co. in Japan shut down its mobile payment system called 7pay. However, 400,000 users of the short-lived service still have unused funds in their accounts. In this article, we are going to recap what happened with the 7-Eleven mobile payments and how users can get their money back.
The hack
On July 1, 2019, 7-Eleven Japan has launched its mobile payments system called 7pay. Not even 24 hours have passed since its launch when subscribers began sending notifications about the unauthorized use of their accounts. Within only 3 days of operation, on July 3, the company has frozen the ability to transfer money from credit and debit cards to 7pay accounts and stopped issuing new subscriptions. From that day, users were able to use only funds within the existing balance of their 7pay account.
A total of 808 users was affected by the 7pay hack in early July 2019.
As it became known later on, 808 subscribers lost a total of JPY 38 million because of the system hack. How did it happen? Reportedly, 7pay did not have adequate protection measures in place. For example, there was no two-step authorization. It looked like hackers have acquired a list of login credentials for some other online service and found 7pay subscribers who used the same IDs and passwords to log into this service as well or exploited a password reset function that allowed to send new credentials to any email address.
Two men from China were arrested. One of them on suspicion of trying to pay for 146 cartons of cartridges for e-cigarettes totaling at JPY 730,000 at one of 7-Eleven chain stores in Tokyo using seven or eight different stolen 7pay IDs. However, police suspects there might be a China-based group of criminals who were stealing 7pay IDs.
Both suspects said that they got instruction through WeChat. One through a group chat on the platform in exchange for rewards to go shopping, the other – on a promise of obtaining a part-time job as a driver in Shinjuku district. While it seems like both men were coordinated by the same WeChat alias, it is still unknown how one of them managed to settle a deal for such a large batch of cartons at the shop.
What will happen to the deposits?
From nearly 1,5 million users, some 400,000 of them still have their money on deposits in 7pay accounts. Although the service is no longer available, subscribers can apply for a refund by January 10, 2020, and get their deposits back as a transfer to their bank account or through the postal payment.
7-Eleven has also reset passwords to all 7iD users (7iD is a set of credentials needed to use online shopping services from Seven & I Holdings Co.), even though they are not connected with 7pay login information, as a security measure. However, the trust has been broken.
What is next?
Despite this fiasco, 7-Eleven in Japan is determined to continue its work on the cashless payment system. Although cashless payments are growing more popular in Japan every day, it will take time to develop another system with proper security measures. Not to mention how much time it will take to acquire and retain subscribers after the 7pay incident.
It seems that 7-Eleven has some tough time ahead. Having problems to solve with 7pay on the one hand, the company also faced setbacks when dealing with the opening hours issues on the other.
"Otsumami" - a bite size snack:
When dealing with online payments, users’ data security should come first.