What can we learn from Japan’s 7-Eleven security breach? 

  • By Vince Kadar
  • Wednesday, July 31, 2019

The first angry Tweet appeared on the very day that 7-Eleven Japan launched its new mobile payments app, 7pay. By day two, Twitter was flooded with outrage as hackers glibly exploited the app’s weak security to siphon more than 55 million yen (about $500,000 USD) away from customers. 

The 7pay app, which enabled customers to pay for goods using value stored on their phones, launched in the midst of a national drive towards a digital economy. The Japanese government aims to raise cashless payment levels to 40% of all transactions by 2025, and has even suggested that customers may earn reward points for engaging with cashless systems

The colossal 7-Eleven failure will no doubt damage this momentum. Within two days of the app’s launch, the company was forced to take it offline. They promised compensation for all victims of the fraud

This incident prompts uncomfortable questions. Are all cashless systems as vulnerable as the 7pay app? Could this happen to a Telepin customer? 

The answer is no, and here’s why.  

What sets us apart from 7-Eleven’s stored value app

Thieves were able to take advantage of the 7-Eleven app because, put simply, the app let them do it. The problem came down to its password retrieval protocol, which required nothing more than an email address, a date of birth and a phone number. To make matters worse, those who didn’t specify a date of birth at signup were assigned one: January 1st, 2019. It was as though the developers had locked the front door, but left a window wide open. Thieves could simply climb inside. 

Telepin’s mobile money platform, on the other hand, doesn’t just seal its doors and windows from thieves; it uses sophisticated, best-in-class technology to reduce security risks at every twist and turn. 

To understand how we do this, we must first identify the vast difference between these two platforms. 

The 7-Eleven app is a closed-loop, stored value platform; it allows customers to make cashless purchases from 7-Eleven, just like a Starbucks card allows Starbucks purchases, or a Cineplex card allows customers to buy from Cineplex. You can’t use that stored value elsewhere. It’s for one use only. 

On the other hand, mobile money operators like Valyou in Malaysia or Tigo Tanzania offer near limitless use cases. With our technology under the hood, they give their customers a cashless alternative to banking which they can use to manage every dimension of their lives. This includes things like sending money to family members, paying school fees, settling a medical bill, buying lunch, compensating an employeeyou name it. Mobile money platforms are far more sophisticated and wide-reaching than anything attempted by a standalone retailer like 7-Eleven. 

Which is why we have equally sophisticated and far-reaching security systems. 

How Telepin protects its customers

Traditionally, mobile transaction platforms rely on a communications protocol called USSD (Unstructured Supplementary Service Data). This protocol takes advantage of the wireless network’s central nervous system, using the call-setup and tear-down features that are provided by all networks around the globe. This gives users consistent access to both their money and their information, no matter what. In the remote or rural areas where many unbanked customers live, this connectivity is an especially important feature of mobile money operations. A USSD protocol means that end users can check their balance, pay a bill, or send money, even without a data connection. 

To make this work, a USSD gateway acts as a translator between the mobile operator network (the back-end) and the mobile money platform (the front-end). Data packages are sent from one end to the other via the USSD. Many platform developers either use an existing USSD for this purpose, or they build one and sell it exclusively to their customers. This can work well, except for one important thing: vulnerabilities appear each time a user’s unencrypted PIN and other secure information passes through the USSD gateway. It’s an opportunity for hackers, and a big one. 

At Telepin, we do things differently. We embed the central nervous system protocol, which allows mobile money platforms and back-end networks to exchange packets of data without an intermediate translator. This improves both the security and the speed of communications. On top of that, all customer data is masked, secured, encrypted and wrapped in several layers of a hardware security blanket, ensuring that both front-end and back-end systems remain secure. 

Think of it like passing a love note in class (“Will you go to the prom with me?”). Your future hangs in the balance! Do you give the note directly to your date-to-be, or trust that kid in the next row to pass it along for you? Removing the middleman means removing the risk of exposing (or losing) sensitive information on its way to its destination. It’s more secure for everyone, and it has helped us to earn one of the industry’s first Mobile Money Certification on behalf of our customer, Tigo Tanzania

That certification, issued by the GSMA (Global System for Mobile Communications), indicates another important aspect of upholding security and reliability for mobile money customers: regulatory participation. 

How regulators impact mobile money security 

In order to earn its GSMA certification, Tigo Tanzania had to demonstrate its reliability and security to independent auditors, who scored them against the industry’s best practices on factors like consumer protectection and crime prevention measures. With Telepin’s secure mobile transaction platform backing them up, Tigo earned a score of 100%. 

This success story highlights a major difference between what happened with the 7-Eleven app and what Telepin is offering its customers. 

To begin with, the platform developed by 7-Eleven likely did not undergo an external audit. It doesn’t appear to have been governed by an industry-standard code of conduct. It likely had few checks and balances to ensure its customers’ protection. 

Mobile money, by contrast, is a tightly regulated industry. From Africa to Latin America to Asia, operators must prove through sophisticated external security audits that its consumers (and their information) are secure. In 2014, the GSMA’s Code of Conduct for Mobile Money Providers emerged, giving the global industry a consistent set of rules and principles to ensure ongoing risk mitigation, security, and fair treatment. The certification program that recognized Telepin’s customer Tigo Tanzania arrived a few years later, taking principles of transparency and resiliency even further.  

Conclusion

As we watch in horror while inexperience and slack rules permit security breaches on the scale of $500,000 worth of Slurpies and lotto tickets, those of us in the mobile money industry can rest assured that innovative technology and sophisticated regulatory principles have converged to create the most secure experience for customers possible.