Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday July 12 2019, @02:18PM   Printer-friendly
from the stick-to-slurpees dept.

Submitted via IRC for AnonymousLuser

7-Eleven's Bad App Design Let Criminals Steal More Than $500,000

Privacy and Security

Hundreds of 7-Eleven customers who downloaded a new mobile payment app in Japan were robbed out of hundreds of thousands of dollars due to some staggeringly idiotic security lapses in the app.

Yahoo Japan reports that 7-Eleven Japan released the 7pay app on July 1, and within a day customers started complaining about suspicious charges to their linked payment cards. On July 3, the company confirmed accounts could be accessed by third parties and announced it would stop charging credit and debit cards through the app.

According to the Yahoo report, hackers simply needed to input a customer's birthdate, phone number, and email address to request a password reset link. But it seems that a hacker could even request that the reset link be sent to whatever email address they wanted. It also seems that if a customer hadn't entered a birthdate, then the app would default to January 1, 2019, which would make it even easier for a fraudster to gain access.

Also at:
https://techbeacon.com/security/7-elevens-7pay-app-hacked-day-due-appalling-security-lapse https://www.engadget.com/2019/07/06/7-eleven-japan-app-security-loss/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by bzipitidoo on Friday July 12 2019, @03:23PM (4 children)

    by bzipitidoo (4388) on Friday July 12 2019, @03:23PM (#866263) Journal

    Birth dates, phone numbers, mother's maiden name, SSN, and my favorite, the username, are not secrets! Some of those can be a little obscure. But they are not secret. Most everyone has relatives and family friends who know their mother's maiden name. Everyone who attended your parents' wedding could know that. And any number of random officials might know a person's SSN, driver's license number, and other such numbers. Businesses should stop trying to make them into secrets.

    Did 7-Eleven even hire an IT security pro? One who wasn't a total fraud? If they did, the pro was surely smarter than that, and was being overruled by idiot management, and I hope quit in protest.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Insightful) by Booga1 on Friday July 12 2019, @03:28PM

    by Booga1 (6333) on Friday July 12 2019, @03:28PM (#866267)

    There have been enough data breaches now that none of that should ever be used again.

  • (Score: 4, Insightful) by SomeGuy on Friday July 12 2019, @03:48PM (1 child)

    by SomeGuy (5632) on Friday July 12 2019, @03:48PM (#866275)

    Thank you for creating a new account with us!

    The password we made you select is: TGu%^ATy7=mB\psTD*MF@sWZT8{gj`rWu[4Ntw%6^wrA4g'J>%)'P#\?NSg(BaHua9r"2_@),__4)vP9{*Xn7X*SE
    (meets their MINIMUM requirements)

    Your password recovery questions are:
      First pet's name: spot (it's all over your farcebook page)
      Your favorite color: blue (who would have guessed?)
      The name of the school you graduated from: Git High (Public record)

    And we will send recovery links unencrypted to whoever intercepts your e-mail! Or we may even allow sending to any e-mail address just in case you changed your address! How nice of us!

    • (Score: 2) by maxwell demon on Saturday July 13 2019, @01:16PM

      by maxwell demon (1608) on Saturday July 13 2019, @01:16PM (#866596) Journal

      Your favourite colour: Blue. No yel-- Auuuuuuuugh!

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 2) by Sourcery42 on Friday July 12 2019, @04:34PM

    by Sourcery42 (6400) on Friday July 12 2019, @04:34PM (#866299)

    l33t skillz. You just reminded me of high school typing. Half the room was electric typewriters, but the other half were old (even for the time) PC clones. They were on a network, however. Student logins left you trapped in a rudimentary word processor. The young teacher had been a babysitter of mine in the days of her youth. Usernames were uniform and easily guessed, and wouldn't you know it, her password was her maiden name. Login as a teacher and you got an ncurses like interface to the school network. I couldn't even pull up other people's grades, let alone change them or anything like that that might have got me promoted to god status and in serious trouble like that. I could access accounts and look at their schedules, iirc. That was about the extent of it; from my probing of the network I got the impression that was about all that was really done electronically back then. It was still a little thrill for 15 year old me.