The technological literacy of Japan is hard to gauge. On the surface, the country is beguilingly high-tech. The robotics industry is cutting-edge, and smartphone-strapped consumers are notably mobile-savvy. Businesses are also incorporating digital payment solutions to streamline transactions.

Despite these noteworthy developments, this traditional society suffers from just as many antiquated systems. ISP providers, in some cases, take extended periods to install internet connections. Meanwhile, public wi-fi remains surprisingly rare and unreliable. Citizens rely heavily on cash, and retailers rarely accept credit cards. Digital systems, when in place, often suffer from gross security oversights.

Such negligence is ripe for exploitation, and criminals have noticed. From Russian hackers to Chinese crime syndicates, online fraudsters and dark web swindlers are exploiting these shortcomings to devastating effect.

Dashiko

In the early hours of a Sunday morning, 2016, around 100 individuals executed a sophisticated credit attack. Known as dashiko, “children who withdraw,” this organized group of juvenile bandits operated without detection. They hit 1,400 ATMs during a three-hour crime spree.

The thieves used counterfeit cash cards loaded with hijacked credit data. Each dashiko swiped numerous cards at several ATMs, likely fetching 20.8 million JPY ($190,000) per individual. Similar methods have been used by Chinese crime syndicates in attacks throughout Asia.

Law enforcement officials were slow to react, initially failing to recognize the fraudulent behavior. As the scope of the nation-wide attack became apparent, credit card fraud teams quickly found themselves overwhelmed.

Japan may have been an irresistible target. At the time, Japan’s credit and electronic payment systems severely lagged behind other developed nations. Withdrawal limits were high here, and standard preventive measures were lacking. At the time of the attack, ATM cards lacked integrated chips, common in other countries, depending instead on easy-to-reproduce magnetic strips.

Although preventative measures have been taken, it seems Japan is still grappling with credit card security. Despite recent developments, fraudsters were able to use stolen credit card details to fund PayPay accounts. The digital payment system lacked adequate security checks, and thieves managed to defraud the company of millions of yen.

Mt. Gox

In 2006, Jed McCaleb, a young entrepreneur, had an exciting idea: create an exchange where users trade Magic the Gathering cards like stocks. Named Magic the Gathering Online Exchange, or Mt. Gox, the site was released to limited interest.

A few years later, bitcoin was born, and McCaleb quickly repurposed his failed exchange. In 2010, Mt. Gox became the first major cryptocurrency exchange. In 2011, McCaleb sold the site to Mark Karpeles, a French developer living in Shibuya.

Mt. Gox provided a valuable service. The website functioned as a consumer on-ramp to bitcoin, allowing users to trade fiat currencies for the digital asset. From 2011 to 2014, Bitcoin experienced its first wave of widespread adoption while dramatically increasing in value. Having virtually no competitors, Mt. Gox represented nearly 70% of transactions.

But there were significant problems. The exchange flouted anti-money laundering laws while facilitating the Silk Road, a dark web drug market. The exchange also had lax auditing standards despite robust user growth. Increased use led to more novice customers who mistakenly viewed the exchange as a bank for storing funds.

Unbeknownst to users, the security of the exchange was compromised. Russian hackers obtained security keys as early as 2011 and siphoned funds over several years. Mt. Gox's lax auditing system failed to recognize any inconsistencies.

In February 2014, Mt. Gox filed for bankruptcy after losing nearly 850,000 bitcoins. Valued in 2014 at $473 million, the loss represented 7% of the world's bitcoin. While the exchange was regarded as the premier exchange at the time of the hack, insider reports following the debacle described it as a frazzled and poorly-managed business. The incident caused the price of bitcoin to plummet by 36%.

Coincheck, Bitpoint, and Zaif Hacks

Every day, a massive amount of the world's cryptocurrency trades occur in yen. These transactions take place at break-neck speeds across numerous online exchanges. Crypto exchange profits are eye-popping, and several Japanese startups are active in the space.

Yet, with round-the-clock operations, online exchanges have struggled to secure funds. In early 2018, Coincheck reported that 58 billion JPY ($580 million) of NEM cryptocurrency had been stolen. Later that year, Zaif exchange halted trade after 6.7 billion JPY ($60 million) of funds were siphoned. In 2019, a similar incident occurred at Tokyo-based BITPoint.

The liquidity necessary for daily trading volumes is achieved by keeping cryptocurrencies immediately available. Such instantly tradeable assets are said to be stored in "hot wallets," software structures connected to the internet. Exchanges typically maintain currency reserves, on the other hand, in offline storage structures known as "cold wallets." Cold wallets are significantly more secure than hot wallets.

These hacks compromised exchanges' hot wallets, where careless amounts of currency were held. The constant-connectivity of these software structures proved precarious, and the staggering monetary losses attracted the eye of Japanese regulators. The Japanese Metropolitan Police Department also beefed up its cybercrime division in response.

7pay

In 2019., Seven-Eleven Japan incorporated 7pay into its namesake app. The service was marketed as an easy-to-use payment application for in-store purchases. Customers need only to choose a username and password and link a credit card. The app could then transact by scanning barcodes. In a word, the payment service was convenient.

However, 7pay’s simplicity concealed underlying issues. Due to design choices favoring usefulness over security, the application significantly exposed users’ data. Hackers simply needed a customer's name, birthday, and phone number. With this information, scammers could request a password reset using a separate email. The application failed to incorporate two-factor authentication, and birthdates defaulted to January 1st, 2019.

After users’ passwords were leaked online, the service was quickly exploited. Hackers fraudulently charged over 55 million JPY ($500,000), leaving some 900 customers holding the bag. 7-Eleven quickly suspended the app, promising to compensate victims.

Consumer and government consensus, however, admonished the convenience store chain for a sloppy roll-out. A member of Japan's Ministry of Economy, Trade, and Industry demanded the company implement tighter security while admonishing the brand for failing to follow security guidelines.


By - Luke Mahoney.