It would seem that the developers of the Japan-based 7-Eleven wallet app (7 Pay) had not heard of phone fraud. If they had, they’d have built a more secure method of changing user passwords in said app. As a result of their relative lack of finesse when it came to developing this one bit of the app, 900 customers lost a grand total of approximately 55-million Yen (which converts to roughly $506k).
The security lapse rested in the official 7-Eleven wallet app, an app that would connect to a user’s bank account and gave rewards and deals to customers based on their purchases. To pay for purchases, customers would simply call up a bar code and allow said bar code to be scanned by the clerk.
If I’d only read this far into the story, I’d have assumed that the barcode bit was going to be the issue. That system has such potential for security flaws that I was shocked to find that the incident occurred elsewhere. In fact the security flaw wasn’t in the app itself, but in the process wherein a customer was allowed to reset their password.
To reset a password for the wallet app, malicious users would only need a customer’s email address, date of birth, and phone number. Through the standard password reset process, a malicious user was able to send a password reset link to a third-party email address. Once the reset link was sent, the malicious user was in full control of the wallet.
Most users email, DOB, and phone number were relatively easy to find on the web via any number of past breaches on websites aplenty. The process from there would’ve been easy enough – but there is yet ANOTHER break in the security chain.
If a user wanted to sign up for a 7-Eleven Wallet account without their date of birth, the date of birth would default to 01/01/2019 (or whatever year it happened to be at signup). You can imagine the malicious users’ delight at finding out that particular tidbit.
What can you do to avoid a situation like this, as a user? If you absolutely MUST sign up for “wallet” apps, try to do so with account details you’ve never combined before. For example, sign up with your standard phone number, but create a new email address to use for that account alone.
Stay wily! Prance around wildly, like a cat! If they can’t predict your actions, you can’t be caught!
ALSO NOTE: If you are a user of the 7-Eleven Wallet app (7 Pay) in Japan (or anywhere else in the world, for that matter), you’ll probably want to stop now and de-authorize the account from access to your bank account. If you find you’ve been the victim of fraud, there’s a process listed at Seven Eleven Japan, though you might want to contact your local authorities as well.