![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
7-11 in Japan starts app on July 1, by Thursday $500,000 had been stolen from customers
The article doesn't explain if the app was developed by internal 7-11 IT or they hired an app maker to do it (I'm guessing internal development), but it contained an extremely bad flaw. Here's an excerpt from the article explaining it.
"...in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.
Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier..."
Wow. Obviously it's not hard to get ahold of this information if you know where to look, and organized hackers know where to find this information. I wonder, though, how they identified "This person has the app, that person doesn't". Maybe they had sniffers on the store networks looking for identifying information (I wouldn't count on good encryption in the app if they were this stupid about the reset) and then launched the attack against customers.
I'm guessing 7-11 didn't have a tiger team test the app for vulnerabilities. There is some good news: 7-11 is going to pay back all the lost funds, so people won't be out money. Complaints started rolling in the day the app launched, and 7-11 shut the app down on the 3rd. In another article, some fraudulent transactions were traced to China, but it's hard to say if they were the source of the overall fraud. Two Chinese nationals were arrested trying to purchase smokes with someone else's account, unknown if they were connected with the fraud.
Myself, I have credit card info encoded in two apps: Amazon and Apple, both of which I think are trustworthy. Otherwise all shopping is done through my web browser, PayPal, or face-to-face. Amazon was entered in their web site through a browser and not directly in their app: you sign in to the app, and now it's tied to my fingerprint. Slightly more complicated and I believe more layers of encryption in Apple Pay. So I'm (hopefully justified?) more confident that my accounts can't be compromised. Regardless, there ain't much money in my account!
https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/
"...in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.
Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier..."
Wow. Obviously it's not hard to get ahold of this information if you know where to look, and organized hackers know where to find this information. I wonder, though, how they identified "This person has the app, that person doesn't". Maybe they had sniffers on the store networks looking for identifying information (I wouldn't count on good encryption in the app if they were this stupid about the reset) and then launched the attack against customers.
I'm guessing 7-11 didn't have a tiger team test the app for vulnerabilities. There is some good news: 7-11 is going to pay back all the lost funds, so people won't be out money. Complaints started rolling in the day the app launched, and 7-11 shut the app down on the 3rd. In another article, some fraudulent transactions were traced to China, but it's hard to say if they were the source of the overall fraud. Two Chinese nationals were arrested trying to purchase smokes with someone else's account, unknown if they were connected with the fraud.
Myself, I have credit card info encoded in two apps: Amazon and Apple, both of which I think are trustworthy. Otherwise all shopping is done through my web browser, PayPal, or face-to-face. Amazon was entered in their web site through a browser and not directly in their app: you sign in to the app, and now it's tied to my fingerprint. Slightly more complicated and I believe more layers of encryption in Apple Pay. So I'm (hopefully justified?) more confident that my accounts can't be compromised. Regardless, there ain't much money in my account!
https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/