The Yomiuri ShimbunThis is a situation that may damage public trust in swiftly spreading cashless settlements. The operator of the smartphone payment service must adopt fool-proof security measures, thereby striving to prevent illicit acts.
The 7pay smartphone payment service, which Seven-Eleven Japan Co. launched on July 1, became a target of unauthorized access. About 900 7pay users are believed to have suffered damage totaling ¥55 million.
Seven-Eleven Japan has been forced to suspend such transactions as users depositing money for payment and potential users newly registering for the service, both of which are needed to use 7pay. The number of people registered totals 1.5 million, so the impact of the latest case is significant.
The 7pay service allows users to make purchases without cash, by just presenting their smartphone in the store. The IDs and passwords of registered users were used illicitly, and goods were purchased in their name by fraudulent users.
Two Chinese men were arrested on suspicion of attempted fraud, and the Metropolitan Police Department believes it is highly likely that a cybercrime organization in China was involved with the fraud. Investigative authorities are urged to expedite their efforts to get a full picture of the case.
Not to be overlooked are the shoddy security measures taken by Seven Pay Co., the service operator.
The operator had not adopted two-step authentication, in which a user’s ID is confirmed by entering an authentication code sent via a short message, so as to fend off impersonators. Two-step authentication is a basic security measure for a smartphone payment service. The operator decided to adopt it only after the fraud occurred, but its understanding of the security necessary for such a service is too sloppy.
Users must be wary
The state of the service was such that even a third party, other than the registered user, was able to change a password. Although 7pay is primarily aimed at residents of Japan, the operator had not shut down access from foreign countries.
The steps taken after the unauthorized access came to light were also implemented too late. Two days after the operator learned of the damage, it embarked on fully suspending the depositing of money into user accounts. The delay in responding may have allowed the damage to spread further. The service operator should investigate this.
Cashless settlements have such merits as saving the time, effort and cost of managing cash, while helping to mitigate labor shortages on the part of the operators of stores. Through smartphone payment services, store operators can analyze the purchase data of customers, and also utilize the data to improve their product lineup, for instance. Therefore, companies that operate stores are vying with one another to adopt such systems.
The percentage of cash settlements in Japan is higher than in other countries. The government has set a target of raising the percentage of cashless settlements from the current about 20 percent to 40 percent by 2025.
However, it also came to light last December that PayPay, a smartphone payment service operated jointly by SoftBank Corp. and Yahoo Japan Corp., was accessed illegally.
Each and every service operator needs to reexamine whether there are any defects in its security measures.
Service users are also required to take measures to protect themselves. Avoid repeatedly using the same password; constantly check notices and records of service use; and set up spending limits. It is vital to thoroughly implement these measures.