Photo/IllutrationTsuyoshi Kobayashi, left, president of Seven Pay Co., and other officials of Seven & i Holdings Co. hold a news conference on July 4 to apologize for the illegal access to the 7pay smartphone payment system. (Kazuhiro Nagashima)

Seven Pay Co. officials defended the security measures for their 7pay smartphone payment system, but experts quickly pointed out holes that could have been exploited by hackers who illegally accessed hundreds of accounts.

The service started on July 1 at Seven-Eleven Japan Co. convenience stores, and by July 4, it was already suspended because users were reporting irregularities with their accounts.

Ken Shimizu, an executive officer with Seven & i Holdings Co., the parent of Seven-Eleven Japan, attended the July 4 news conference where Seven Pay officials apologized for the illegal access.

Shimizu said no security weaknesses were detected in tests before the start of the 7pay service, and that the system’s security had been confirmed.

But when asked why the security measures failed, Shimizu could only say that the matter was under investigation.

Some experts point to the fact that Seven Pay went its own way in confirming the identities of account users.

Normally, people applying for new accounts on their smartphones receive a short message on their phones that includes a password that must be entered to complete the registration process.

The procedure is used to prevent those who do not actually own the smartphone from registering in place of the true owner.

Tsuyoshi Kobayashi, president of Seven Pay, was asked at the news conference if his company used this so-called two-step confirmation method.

He was unfamiliar with the procedure.

Instead, Kobayashi explained that the 7pay system was designed for use after individuals registered with other Seven & i Holdings services.

Potential users must first obtain a Seven-Eleven Japan ID and use it to register with the convenience store chain’s smartphone app before signing up for the 7pay system.

But experts noted a glaring flaw in the way Seven Pay handles registrations of new passwords for users who have forgotten their original ones.

Ordinarily, an e-mail for registering a new password is sent to the same address a user submits when starting the service.

But Seven Pay allows users to register different e-mail addresses to receive messages about setting up new passwords.

Third parties can register their smartphones’ e-mail addresses to receive the message, allowing them to change passwords to their liking without the real owner knowing about it.

A 58-year-old man in Shizuoka Prefecture registered with the 7pay system on July 2 and knew that something was wrong the following day.

He had initially deposited only 5,000 yen into the account, but on the morning of July 3, he found that his credit card had been used to deposit 190,000 yen ($1,760) without his knowledge.

All 195,000 yen in the account had been used illegally at a Seven-Eleven Japan Co. outlet in Tokyo.

“There may have been weak points in the system because 7pay was started so quickly,” the man said. “I am partly to blame because I latched on to the prestige of the largest convenience store chain in Japan.”