Security & Fraud

What QSRs Can Learn From The 7-Eleven Japan Hack

Why Innovation Needs Better Fraud Defenses

It’s pretty much a given these days that – more or less – a business is nothing without a robust mobile experience when it comes to commerce, payments and customer experience. That ideal applies to sellers of products and services alike, and helps to fuel and guide so much innovation going into 2020.

But all that work – every single touchpoint on that digital and mobile journey – provides ample opportunity for criminals to exploit any error or opening and make gains via fraud. That is what recently happened in Japan for customers of 7-Eleven convenience stores – and that’s what served as the foundation for a new PYMNTS interview featuring Karen Webster and Rich Stuppy, chief customer experience officer at Kount.

Fresh Risks

“What happened is super common,” he told Webster, underscoring the fresh risks that convenience stores, QSRs and other retail sectors face as they race to develop and deploy digital and mobile-centric innovations. In some respects, those efforts serve almost as business or operational reinventions, but what’s often lost in that work is a full understanding of all the openings that innovation can give to fraudsters. Indeed, Stuppy went so far as to call fraudsters the first adopters of retail innovation, a view that can seem a bit dramatic at first, but which takes on the feel of accuracy and wisdom when you dig into the details.

The recent fraud at 7-Eleven illustrates Stuppy’s important point.

According to reports and the account Stuppy gave Webster, the fraud stemmed from the chain’s push to make its customer experience more mobile. Specifically, it involved the July launch of a smartphone payment service called 7pay at some 20,000 stores in Japan. Fraudsters with knowledge of or access to customers’ dates of birth, phone numbers and email addresses could hack legitimate accounts via the service. Even if customers decline to hand over their birthdates to the chain, fraudsters could find a way around that, as such a loophole was apparently not properly defended by the people who built the service.

“It was a flaw related to their password reset process,” Stuppy said. “The bad guys could send password reset requests to other email addresses.”

That, in turn, allowed criminals to make fraudulent purchases – per one report, total losses amounted to $510,000. According to Stuppy, gift cards stand as a common, lucrative and easy-to-use item that such criminals like to steal.

That amount might not seem like a massive sum when it comes to a giant company like 7-Eleven or even many of its franchise owners. But the losses certainly cause friction and bad feelings among customers and negative headlines for the chain, which combine to erode trust and perhaps even slow down motivation for retail innovation.

Larger Lessons

This specific instance of fraud speaks to a larger issue when it comes to digital and mobile innovation in the world of retail – especially those parts of the retail world that have traditionally been brick-and-mortar operations, such as convenience stores. In short, this instance of fraud shows that many of those retail operations are not as proactive when it comes to dealing with the risks of innovation.

As Stuppy told it, when it comes to creating those apps and digital and mobile services, the focus is usually – and understandably – on the customer experience features, and how to make shopping, transactions, loyalty and rewards evermore seamless. As well, such work is often outsourced to another company or run through the marketing department – areas where fraud prevention, for various reasons, is not always top of mind. As these brick-and-mortar-minded operations race toward their digital futures, security often gets a lower priority.

“They are checking some boxes but missing others,” Stuppy said about that general process. Not only that, but brick-and-mortar retailers are often working from a relatively disadvantaged position. That is because retailers born in the eCommerce age have been thinking of digital fraud for some 20 years at this point. “These brick-and-mortar folks are trying to do in weeks what it took two decades to learn (for eCommerce operators),” he told Webster.

But the best criminals tend to stay ahead of the game, no matter the retail venue. That’s why Stuppy views them as the first adopters of all those mobile and digital innovation efforts – efforts that have become especially energetic among QSRs and convenience stores, who are trying to quickly catch up to consumers’ changing demands. But innovation is not the only focus such retailers need. “More talk about fraud is needed,” Stuppy said.

That, perhaps, is the main lesson of the recent 7-Eleven fraud attack. It’s not enough to just go down the mobile and digital to-do list. Every step should spark discussions about fraud. After all, that’s how the criminals think. As Stuppy told Webster, even a single, relatively tiny touchpoint along the customer journey can provide ample opportunity for fraudsters.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.