It must be said that NTT Docomo Inc. and a number of banks failed to take basic measures to ensure the safety of cashless payments. They should seriously reflect on the matter and make every possible effort to protect users and prevent a recurrence.
A series of cases have been reported in which NTT Docomo’s e-money service was abused to illegally withdraw money from accounts at regional banks and other financial institutions that are linked to the major mobile carrier’s e-money service. More than 70 cases of unauthorized withdrawals from accounts at at least 12 banks among the 35 connected to the service have been confirmed, with the damage totaling about ¥20 million, according to the carrier.
The mechanism of the Docomo e-money service is that users register their bank accounts and link them to the service, and they can then transfer their deposits. The service can be used for shopping and sending money via smartphone.
At first, the service had been provided only to NTT Docomo customers, but it was expanded beyond them in September last year. The service can be joined virtually with only a user’s email address. As the procedures to verify the identity of users are insufficient, a chance for criminal exploitation was created.
As a way of confirming someone’s identity for a smartphone payment service, two-step authentication is usually used. Users are asked to reenter a number sent via mobile phone short text message service or other means. NTT Docomo also should have adopted two-step authentication.
When the 7pay smartphone payment service of Seven-Eleven Japan Co. was illegally used in July last year, the significance of two-step authentication was pointed out. It is problematic that NTT Docomo did not utilize the lesson of that incident.
NTT Docomo lags behind SoftBank Group Corp.’s PayPay and other smartphone payment services. NTT Docomo may have been impatient to expand their business and neglected to take safety measures.
In the case of the banks that suffered damage from these account breaches, if a user’s bank account number, personal identification number, name and date of birth were known, it was reportedly possible to link the bank account with NTT Docomo’s e-money service without two-step authentication. These banks also lack a sense of crisis.
It is natural for NTT Docomo and the banks in question to cooperate to fully compensate victims.
People who do not use NTT Docomo mobile phones and cannot recall joining its e-money service have been damaged by the breaches. Some people did not realize that they were victims until they confirmed their account balances with smartphone apps. There is a possibility that some of the customers of the banks linked to the e-money service still have not noticed that their bank accounts were exploited.
NTT Docomo and the banks must inform customers of the damage and cooperate with investigative authorities to clarify the entire picture of the damage at an earlier stage. Customers of the 35 banks linked to the service also need to review their savings accounts.
Cashless payments have the advantage of saving customers the trouble and cost of managing cash. As the government is supporting the spread of cashless payments, a number of companies from various industries have entered the market. However, as long as they are in charge of payments, it is indispensable for them to take thorough measures to ensure safety.
The Financial Services Agency has instructed NTT Docomo to report the cause of the problem and measures to be taken to prevent a recurrence. The government, which is trying to expand the use of cashless payments, also has a responsibility to keep an eye on whether the management system is sufficient.
— The original Japanese article appeared in The Yomiuri Shimbun on Sept. 12, 2020.