Security & Fraud

What QSRs Can Learn From The 7-Eleven Japan Hack

Why Innovation Needs Better Fraud Defenses

It’s pretty much a given these days that – more or less – a business is nothing without a robust mobile experience when it comes to commerce, payments and customer experience. That ideal applies to sellers of products and services alike, and helps to fuel and guide so much innovation going into 2020.

But all that work – every single touchpoint on that digital and mobile journey – provides ample opportunity for criminals to exploit any error or opening and make gains via fraud. That is what recently happened in Japan for customers of 7-Eleven convenience stores – and that’s what served as the foundation for a new PYMNTS interview featuring Karen Webster and Rich Stuppy, chief customer experience officer at Kount.

Fresh Risks

“What happened is super common,” he told Webster, underscoring the fresh risks that convenience stores, QSRs and other retail sectors face as they race to develop and deploy digital and mobile-centric innovations. In some respects, those efforts serve almost as business or operational reinventions, but what’s often lost in that work is a full understanding of all the openings that innovation can give to fraudsters. Indeed, Stuppy went so far as to call fraudsters the first adopters of retail innovation, a view that can seem a bit dramatic at first, but which takes on the feel of accuracy and wisdom when you dig into the details.

The recent fraud at 7-Eleven illustrates Stuppy’s important point.

According to reports and the account Stuppy gave Webster, the fraud stemmed from the chain’s push to make its customer experience more mobile. Specifically, it involved the July launch of a smartphone payment service called 7pay at some 20,000 stores in Japan. Fraudsters with knowledge of or access to customers’ dates of birth, phone numbers and email addresses could hack legitimate accounts via the service. Even if customers decline to hand over their birthdates to the chain, fraudsters could find a way around that, as such a loophole was apparently not properly defended by the people who built the service.

“It was a flaw related to their password reset process,” Stuppy said. “The bad guys could send password reset requests to other email addresses.”

That, in turn, allowed criminals to make fraudulent purchases – per one report, total losses amounted to $510,000. According to Stuppy, gift cards stand as a common, lucrative and easy-to-use item that such criminals like to steal.

That amount might not seem like a massive sum when it comes to a giant company like 7-Eleven or even many of its franchise owners. But the losses certainly cause friction and bad feelings among customers and negative headlines for the chain, which combine to erode trust and perhaps even slow down motivation for retail innovation.

Larger Lessons

This specific instance of fraud speaks to a larger issue when it comes to digital and mobile innovation in the world of retail – especially those parts of the retail world that have traditionally been brick-and-mortar operations, such as convenience stores. In short, this instance of fraud shows that many of those retail operations are not as proactive when it comes to dealing with the risks of innovation.

As Stuppy told it, when it comes to creating those apps and digital and mobile services, the focus is usually – and understandably – on the customer experience features, and how to make shopping, transactions, loyalty and rewards evermore seamless. As well, such work is often outsourced to another company or run through the marketing department – areas where fraud prevention, for various reasons, is not always top of mind. As these brick-and-mortar-minded operations race toward their digital futures, security often gets a lower priority.

“They are checking some boxes but missing others,” Stuppy said about that general process. Not only that, but brick-and-mortar retailers are often working from a relatively disadvantaged position. That is because retailers born in the eCommerce age have been thinking of digital fraud for some 20 years at this point. “These brick-and-mortar folks are trying to do in weeks what it took two decades to learn (for eCommerce operators),” he told Webster.

But the best criminals tend to stay ahead of the game, no matter the retail venue. That’s why Stuppy views them as the first adopters of all those mobile and digital innovation efforts – efforts that have become especially energetic among QSRs and convenience stores, who are trying to quickly catch up to consumers’ changing demands. But innovation is not the only focus such retailers need. “More talk about fraud is needed,” Stuppy said.

That, perhaps, is the main lesson of the recent 7-Eleven fraud attack. It’s not enough to just go down the mobile and digital to-do list. Every step should spark discussions about fraud. After all, that’s how the criminals think. As Stuppy told Webster, even a single, relatively tiny touchpoint along the customer journey can provide ample opportunity for fraudsters.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.