BreachExchange mailing list archives
Hackers Slurp $500, 000 Through 7-Eleven Mobile Payment App
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 8 Jul 2019 09:00:44 -0500
https://www.databreachtoday.com/hackers-slurp-500000-through-7-eleven-mobile-payment-app-a-12729 Hundreds of 7-Eleven customers in Japan collectively lost about $500,000 over the course of several days this week after hackers accessed a new mobile payment app that had poor password and user authentication security, according to several media reports and company statements. On Thursday, 7-Eleven's corporate division in Japan released a statement acknowledging that about 900 customers had been affected, and the company is investigating. The mobile payment app, called "7pay," is no longer in use, the company added. All together, the company estimates that customers lost about ¥55 million or approximately $507,000 over several days, according to the statement. 7-Eleven is also planning to reimburse customers for any losses. Not Designed for Security It's not clear yet what caused the problem with the app, which 7-Eleven only released July 1for customers in Japan, but some customers told Yahoo Japan that if hackers knew or guessed the date of birth, email address and the phone number of a victim, they could reset and change 7pay passwords. It also appears that 7-Eleven didn't design two-factor authentication into the app since the password reset did not require an SMS message or another notification to the user before changing the password, according to Yahoo Japan. Instead, the password reset link would be sent to an email address that hackers could then use to reset the password and access the app, as well as credit card and other information stored within the platform, the Yahoo Japan article shows. By Thursday, 7-Eleven customers took to Twitter in Japan to show how easily it is to bypass the 7pay password reset: _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Hackers Slurp $500, 000 Through 7-Eleven Mobile Payment App Destry Winant (Jul 08)