Those of who you follow Unseen Japan regularly know that I have a huge interest in cashless payments. As we’ve discussed previously, Japan has, up until now, been a predominantly cash-centric society. This has not only hobbled the country’s economic progress – it’s made Japan less friendly for foreigners, who increasingly expect that they can go anywhere in the world and never touch an ATM.
However, this started changing last year, when the push for cashless in Japan started taking off like a rocket. A host of services – such as LINE Pay and PayPay – have managed to grab customer’s interest through special one-time promotions. Even the administration of Prime Minister Shinzo Abe has jumped on the bandwagon, vowing to increase the country’s use of cashless technologies from its current paltry 19.8% rate to 25% in the next few years.
Given the cashless fervor, it’s natural that the company’s largest convenience store chain would want in on the action. And 7 & i Holdings, the corporate entity that managed the 7-11 franchise chain in Japan, needed a big PR win. The company has drawn heat this year for its treatment of an elderly, widowed franchisee whom it sued when he tried to limit his store’s hours. The company changed its policy after a management turnover, but the damage to its reputation lingers.
So I assume expectations were high within 7 & i when it launched 7pay, its new cashless payment service built into its smartphone app. Had all gone well, the company could have increased customer confidence and inspired increased loyalty.
But all did not go well. In fact, the launch of 7Pay may go down in the annals of software engineering as a prime example of how not to ship software.
A day or two after 7pay was announced, reports started to trickle in from users saying that their account balances were being used at 7-11 locations they’d never visited. The trickle increased to a flood over the course of several days. By the fourth day, the problem was so monumental that 7 & i suspended service registration, but still allowed users to use their existing balances. Shortly thereafter, the company suspended the app completely.
It seems that, in a rush to get 7pay out the door, 7 & i released it with one or more severe security flaws. The flaws allowed criminals (reportedly based in China) to access other users’ accounts with impunity. As of this writing, over 1,500 people have had their accounts infiltrated, for a total economic loss of USD $324,000 – and those numbers are expected to increase.
Rush to Market == Security Flaws
So what happened? The problem isn’t one of user ignorance. Writing for ITMedia, author Suzuki Junya notes that even one of his friends, a cashless payments expert, had his account hacked after taking all recommended security precautions. Analyzing the evidence, it appears the issue may be related to security failures at multiple levels of 7pay’s system.
A clue to the issue, writes Suzuki, lies in the company’s recent announcement that it’s blocking the ability to link external accounts, such as Twitter and Facebook, with its mobile app. This indicates a problem with how the app ahs implemented a technology called OAuth. OAuth is a ubiquitous standard that, when implemented well, permits an application to access a third-party application on a user’s behalf. Giving permission to an app like Instagram to cross-post to Twitter, or using Facebook as your login ID for a different service, are examples of OAuth technology in action.
When implemented properly, OAuth will only allow third-party connectivity when a user has fully authenticated to the third party site. In other words, you can’t connect a photo album app with a Facebook account with first logging in through the Facebook site. In 7pay’s case, however, it appears that merely knowing a user’s Facebook or Twitter ID allowed hackers to access that person’s 7pay account.
However, Suzuki says, that doesn’t explain how the hackers managed to bypass the charge password, which Suzuki’s friend had enabled, and which is necessary at point of sale. So there has to be at least one other technical issue – if not several – that enabled criminals to use customers’ accounts to pay for purchases.
While 7 & i Holdings suggested they’d guarantee defrauded customers a refund, some of the customers’ banks said they haven’t heard anything from the company yet. And the atmosphere inside the company appears to be one of chaos and confusion.
I hate to be cynical, but I imagine we’re going to see the same thing happen here that we saw in the Volvo fraudulent emissions case: a handful of software engineers will be blamed for the problems and fired, and executives will attempt to escape any consequences. In reality, 7 & i should be asking itself why its security and governance controls failed to catch such fatal errors before product launch. My suspicion is that executives at the company, in the wake of the franchise hours blowup, rushed 7pay to market before it was ready.
Whether that suspicion proves correct, it’s clear that 7 & i Holdings owes its customers – and the rest of the Japanese public – a clear and honest account of what went wrong. Not only has the company shot itself in the foot with this incident, it’s also jeopardized Japanese consumers’ confidence in cashless payment technology at a critical juncture.
