TOKYO -- Seven-Eleven Japan thought using two-factor authentication for its just-released mobile payment feature would be too much of a hassle for users, a gamble that quickly cost the company consumer trust.
In the days after the convenience store chain rolled out 7pay on July 1, hackers made off with over 38 million yen ($350,000) from unsuspecting accounts. Now the parent company Seven & i Holdings will shut down the service in its entirety at the end of September.
Part of the service's draw was its simplicity. All users had to do was to enter usernames and passwords to access their accounts, a mostly outdated scheme that cyberthieves wasted little time exploiting. The hackers apparently breached 7pay accounts by using lists of usernames and passwords leaked from a website or illegally obtained online.
"Two-factor authentication was not fully considered, which weakened defenses against a list-type attack," Seven & i Vice President Katsuhiro Goto told reporters on Aug. 1.
Goto was referring to a fairly common technique adopted by banks and other online providers that involves unique passcodes sent to trusted devices -- as well as restrictions against logging in from multiple devices.
7pay was designed as an added function within Seven-Eleven's official app. The cashless service also served as a vehicle for sales promotions. In that context, a less cumbersome user experience was given higher priority over security.
Given its history, Seven & i should have been shown more awareness about the importance of digital security. The group established what is now Seven Bank in 2001, which installed its own ATMs that same year. In 2007, the retailer was the first in the domestic industry to launch an e-money service, nanaco.
Seven-Eleven was late to the smartphone payment game, however. The company did not feel much pressure from rivals: it earned an operating profit of 245 billion yen in the last fiscal year ended February, far outstripping the unconsolidated profit of 45.7 billion yen at Lawson and the 44.2 billion yen made by FamilyMart.
Despite its dominance, same-store traffic at Seven-Eleven outlets was underperforming. As a promotional vehicle, 7pay was anticipated to be the cornerstone for analyzing customer data.
7pay would have had access to a wealth of data. The official Seven-Eleven app has more than 12 million downloads, with the 7pay service attracting 1.5 million registered users in the first three days after its launch.
The growth strategy failed in a high-profile manner, but Seven & i indicated that it will take another stab at the sector. "There is no change to making digital a pillar of growth," Goto said. "We may have scrapped 7pay, but this field still has potential."
For Seven & i to achieve success, the company faces a daunting task of winning back trust from consumers.
"I was thankful that I was able to shop without a wallet, but they were really sloppy," said a 41-year-old company worker in Nagoya. "A shutdown was inevitable."
7pay's failure risks throwing cold water on the spread of smartphone payments in Japan. There are cases where financial groups have offered services that sacrificed ease of use for security. "When the problem of unauthorized use persists, it impacts those of us that do business steadfastly," said a source close to the smartphone payment industry.
Other companies are learning from the episode. When Makoto Takahashi, president of mobile carrier KDDI, was asked about his company's au Pay digital wallet, he struck a cautious tone.
"This relates to us, too," Takahashi said. "There are many people who are looking for holes in security. We intend to fully maintain security."