TOKYO -- Japanese mobile carrier NTT Docomo said Wednesday it has halted new registrations for its mobile payment service in response to a string of fraudulent bank withdrawals tied to the platform nationwide.
Docomo lets users shop online and transfer money through its payment system, which is connected to a bank account. But the service has been used to take money illicitly from accounts at 10 or more financial institutions, including 77 Bank and Chugoku Bank.
The service is tied to accounts at 35 banks across Japan.
Experts think some individuals signed up for the payment service using stolen bank account information, criticizing Docomo's identity verification requirements as lax.
"The problem was that people could take money straight out of bank accounts using the Docomo accounts, which could be created anonymously," said Takayuki Sugiura, director of the Japan Hackers Association.
Though the exact nature of the fraud has not been revealed, experts suspect a so-called reverse brute force method is involved, in which hackers try to crack into a bank account by matching a personal identification number with various usernames.
"At just four digits, bank PINs are extremely vulnerable," said Hiromitsu Takagi of the Japan Institute of Law and Information Systems. "It is possible for hackers to obtain PINs for a large number of people if they keep at it for more than six months."
Docomo will reopen its payment service to new registrations after introducing stricter verification procedures, such as requiring a mobile number and a copy of a driver's license or similar document. Existing users will be permitted to continue using the service through this hiatus.