One of the scarier things about this is that 7-Eleven isn't a convenience store here -- it's a retail chain owned by 7&i Holdings and closely associated with Seven Bank.<p>They also provide various things like health, car, and automobile insurance.<p>So you'd really expect a conglomerate of this size to have financial things down.
According to Katsunori Shigeta [1], 7-Eleven belatedly removed the target email address... using CSS (`display:none`). The summoned official had also said that one has no knowledge about the multi-factor authentication [2].<p>[1] <a href="https://twitter.com/shigezo/status/1146700322460463104" rel="nofollow">https://twitter.com/shigezo/status/1146700322460463104</a><p>[2] <a href="https://twitter.com/shigezo/status/1146944325684621312" rel="nofollow">https://twitter.com/shigezo/status/1146944325684621312</a> (the initial tweet had an error on this)
The BBC references a ZDNet story, but never links to it. Here it is: <a href="https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/" rel="nofollow">https://www.zdnet.com/article/7-eleven-japanese-customers-lo...</a><p>There's also been two arrests made, per ZDNet. Source: <a href="https://www.sankei.com/affairs/news/190704/afr1907040036-n1.html" rel="nofollow">https://www.sankei.com/affairs/news/190704/afr1907040036-n1....</a>
Well, this thing happens frequently when every _websites_ want to throw their "apps" to the customers. But their actual "apps" are out-sourced by cheap MSP somewhere. That explains the lack of security effort.
>The 7pay mobile app was designed to show a barcode on the phone's screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user's 7pay app and the customer's credit or debit cards that have been saved in the account.<p>Why is this app even needed? Is EMV contactless not a thing in Japan? Did 7/11 want to join the mobile pay bandwagon?