ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronEye IconIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailMenu BurgerPositive ArrowIcon PrintIcon SearchSite TitleTitle ChevronIcon Twitter
Technology

Seven-Eleven Japan pay app was easy mark for hackers

7pay opted for convenience over security -- and paid dearly

Hackers who breached Seven-Eleven's mobile payment accounts are suspected of using lists of usernames and passwords leaked from a website or illegally obtained on the internet.   © Reuters

TOKYO -- Seven-Eleven Japan thought using two-factor authentication for its just-released mobile payment feature would be too much of a hassle for users, a gamble that quickly cost the company consumer trust.

In the days after the convenience store chain rolled out 7pay on July 1, hackers made off with over 38 million yen ($350,000) from unsuspecting accounts. Now the parent company Seven & i Holdings will shut down the service in its entirety at the end of September.

Part of the service's draw was its simplicity. All users had to do was to enter usernames and passwords to access their accounts, a mostly outdated scheme that cyberthieves wasted little time exploiting. The hackers apparently breached 7pay accounts by using lists of usernames and passwords leaked from a website or illegally obtained online.

"Two-factor authentication was not fully considered, which weakened defenses against a list-type attack," Seven & i Vice President Katsuhiro Goto told reporters on Aug. 1.

Goto was referring to a fairly common technique adopted by banks and other online providers that involves unique passcodes sent to trusted devices -- as well as restrictions against logging in from multiple devices.

7pay was designed as an added function within Seven-Eleven's official app. The cashless service also served as a vehicle for sales promotions. In that context, a less cumbersome user experience was given higher priority over security.

Given its history, Seven & i should have been shown more awareness about the importance of digital security. The group established what is now Seven Bank in 2001, which installed its own ATMs that same year. In 2007, the retailer was the first in the domestic industry to launch an e-money service, nanaco.

Seven & i Vice President Katsuhiro Goto, right, acknowledged the security lapses that led to the abrupt decision to scrap 7pay, the recently launched mobile payment service. (Photo by Akira Kodaka)

Seven-Eleven was late to the smartphone payment game, however. The company did not feel much pressure from rivals: it earned an operating profit of 245 billion yen in the last fiscal year ended February, far outstripping the unconsolidated profit of 45.7 billion yen at Lawson and the 44.2 billion yen made by FamilyMart.

Despite its dominance, same-store traffic at Seven-Eleven outlets was underperforming. As a promotional vehicle, 7pay was anticipated to be the cornerstone for analyzing customer data.

7pay would have had access to a wealth of data. The official Seven-Eleven app has more than 12 million downloads, with the 7pay service attracting 1.5 million registered users in the first three days after its launch. 

The growth strategy failed in a high-profile manner, but Seven & i indicated that it will take another stab at the sector. "There is no change to making digital a pillar of growth," Goto said. "We may have scrapped 7pay, but this field still has potential."

For Seven & i to achieve success, the company faces a daunting task of winning back trust from consumers.

"I was thankful that I was able to shop without a wallet, but they were really sloppy," said a 41-year-old company worker in Nagoya. "A shutdown was inevitable."

7pay's failure risks throwing cold water on the spread of smartphone payments in Japan. There are cases where financial groups have offered services that sacrificed ease of use for security. "When the problem of unauthorized use persists, it impacts those of us that do business steadfastly," said a source close to the smartphone payment industry.

Other companies are learning from the episode. When Makoto Takahashi, president of mobile carrier KDDI, was asked about his company's au Pay digital wallet, he struck a cautious tone.

"This relates to us, too," Takahashi said. "There are many people who are looking for holes in security. We intend to fully maintain security."

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Get Unlimited access

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world
.

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends June 30th

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to the Nikkei Asian Review has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media