TOKYO -- Chinese cybercriminals are believed to have exploited weak security in Seven & I Holdings mobile payment app to make unauthorized charges worth about 55 million yen ($459,961) earlier this month, affecting some 900 users.
Most of the charges made with the company's 7pay app were used to buy electronic cigarettes, leading authorities to believe that Chinese gangs were responsible for the theft. E-cigarettes are popular in China, especially among young people.
China controls the prices of all cigarettes through a state-owned monopoly, making the sale of stolen e-cigarettes an attractive way for criminals to earn cash.
There have been many similar cases in recent years, according to a Japanese investigator familiar with crimes committed by foreigners, so "there must be Chinese criminal organizations behind it."
In a related case, gangs sent e-cigarettes stolen in Japan to China via express mail, reselling them for 60% below the established price in Japan.
The trouble began in the morning of July 3. In one incident, a young man speaking broken English asked a cashier at a 7-Eleven store in Tokyo for e-cigarette cartridges. After paying about 730,000 yen with a hacked 7pay mobile app, he walked out with 146 cartons of cartridges.
This pattern was repeated throughout the day across the country, with people buying e-cigarettes and cartridges in bulk with the hacked app in an effort apparently coordinated by a criminal gang.
The thefts happened so quickly that legitimate app users had little time to react. A 58-year-old resident of Shizuoka Prefecture was stunned to see 190,000 yen worth of charges on his 7pay account in less than 40 minutes. The charges were made at two 7-Eleven stores in Tokyo, about 130 km away.
The evening before the e-cigarette caper, Seven & i Holdings started receiving complaints from users about unauthorized transactions on their 7pay apps. The company discovered that there were numerous attempts at accessing accounts from overseas locations, mainly from China.
The 7 pay app does not have two-step authentication to verify identities, which allowed the gang to easily carry out the thefts.
Japan's Financial Services Agency has ordered the company to documents detailing how the unauthorized access occurred, and what the company is doing to prevent similar occurrences from happening again. The regulator also plans to investigate whether there are problems in the company's internal security systems.
Unauthorized access to other people's computer accounts violates Japanese law, but overseas internet providers are often reluctant to provide users' identities to investigators. Tracking anonymous users would be even more difficult.
The Japan-China Mutual Legal Assistance Treaty allows Japanese investigators to do reference checks users of China's popular messaging app, WeChat, which is often used in crimes. But records can be deleted from overseas servers before Japanese investigators complete the laborious and time-consuming task of coordinating efforts with Chinese authorities to identify perpetrators.
Two Chinese nationals being held by the Tokyo Metropolitan Police Department on suspicion of participating in the thefts have denied meeting the gang's leader. "Criminal groups make sure their leaders are shielded from investigation," said a person familiar with the case. A third person, a Chinese university student studying in Japan, was arrested on Friday.
Chinese gangs have used various methods to hack Japanese accounts of Apple Pay and T Card, which can be used as a loyalty card and credit card.
"Police should thoroughly investigate the reason why 7pay has been hacked to prevent this from happening in the future," said Masanori Kusunoki, a visiting research fellow at the International University of Japan.