7-Eleven learned the hard way why it is critical to thoroughly test cyber security software applications before these are launched. The company introduced a new mobile payment feature on its 7Pay app in Japan on 1 July 2019 that enabled users to scan the barcode and charge the credit card details stored in the app. However, design flaws in the app allowed hackers to obtain reset password details on another email ID if they knew the customer’s date of birth, email and phone number. Information like these are often accessible on social media accounts. Furthermore, the app had a default reset on the date of birth to 1 January 2019 if this section was not filled. This made it easy for hackers to break into an account.

7-Eleven shut down the payment feature on its app after several customers complained by 4 July. But by then, 900 consumer accounts were already reported to have been hacked, resulting in a scam of around $509,000 (JPY 55 million).

“This was a business logic flaw. The password reset email could be sent to any email, rather than the email address of the account holder. It is possible to test for business logic flaws as part of a point in time ‘pen test’ or a continuous assessment like a ‘bug bounty program’,” said Laurie Mercer, a security FGP engineer at HackerOne, a cybersecurity company.

Mercer also pointed that “recent experience shows that when incentivised with a modest bounty - hackers can find loopholes like this within four minutes”.

The organization failed to meet the basic two-factor authentication and the device linkage logic. It is therefore surprising that this flaw was not diagnosed before the application was launched.

Proper penetration testing by security experts should have revealed this issue. “While penetration tests on their own are not enough for building secure applications, they are essential for ensuring that trivially, exploitable flaws like this are discovered before l...

Categories:

Keywords:Hacking, Digital Payment, Cashless Payment