• SHARE

News that about ¥28 million has been stolen from bank accounts linked to an e-money service operated by NTT Docomo Inc., the nation’s largest mobile phone carrier, has made headlines in recent weeks, serving as a wake-up call for all concerned on the risks of e-money.

But it came as no surprise to cybersecurity experts who have long cautioned about such cyberspace scams, knowing hackers’ ploys are expected to get more and more sophisticated by the day.

Last week, online broker SBI Securities Co. announced that nearly ¥99 million had been stolen after six of its customers’ accounts were improperly breached.

Japan Post Bank Co. also said Thursday about ¥60 million had been stolen from its customers’ accounts due to unauthorized money transfers to NTT Docomo accounts and six other e-money services, including PayPay, Line Pay and prepaid debit card mijica.

What is surprising in the NTT Docomo case, however, is that unlike previous similar scams such as those involving Seven Pay Co., most of the victims weren’t even aware that they had NTT Docomo accounts under their names, causing the incident to catch them off guard.

Here’s a closer look at what the NTT Docomo accounts are, the security holes targeted by the cybercriminals and how users can be better prepared.

A bank passbook shows withdrawals totaling ¥110,000 in late August via two unauthorized money transfers to a Docomo account, according to the account holder who provided the photo. | KYODO
A bank passbook shows withdrawals totaling ¥110,000 in late August via two unauthorized money transfers to a Docomo account, according to the account holder who provided the photo. | KYODO

How does the NTT Docomo e-money service work?

The service allows smartphone users to deposit money from their bank accounts or via payment at a convenience store into their NTT Docomo account, then use the credits to buy goods at stores and wire money transfers to families and friends.

What are the tactics employed in the latest attack?

Hackers likely obtained the victims’ login information for online banking accounts via phishing or other means, opened the NTT Docomo accounts by pretending to be the victims themselves and then stole money by remitting funds from the victims’ bank accounts to the NTT Docomo accounts.

Some of those targeted have never been NTT Docomo users, which was why they were caught off guard and only realized that money had been withdrawn from their bank accounts and paid into the NTT Docomo accounts when they checked their balance.

NTT Docomo partnered with 35 banks, but it is believed that the criminal groups targeted mostly regional banks and Japan Post Bank, which do not require such strong authentication and allowed customers to log in and transfer funds using three basic items of information — the customer’s account number, password and bank card PIN code.

Banks such as Sumitomo Mitsui Banking Corp. that require strong authentication, such as two-factor authentication and a one-time password sent to the user’s mobile phone via SMS, were not targeted in the latest scams and reported no damages.

NTT Docomo Inc. Senior Executive Vice President Seiji Maruyama apologizes to people whose bank deposits were stolen using its e-money service, at a news conference at the company's headquarters in Tokyo on Sept. 10. | KYODO
NTT Docomo Inc. Senior Executive Vice President Seiji Maruyama apologizes to people whose bank deposits were stolen using its e-money service, at a news conference at the company’s headquarters in Tokyo on Sept. 10. | KYODO

But one aspect of the service that made it vulnerable to the scam was that anyone — even people who are not NTT Docomo users — is able to create an account if they register an email address.

The mobile carrier said that unlike other e-payment services it chose not to require the registration of a mobile phone number, which would have boosted security, in order to increase the number of sign-ups among people who don’t use Docomo phone services, amid increased competition between e-payment services.

How were hackers able to obtain bank account information in the first place?

Scammers are believed to have obtained the victims’ bank information via phishing in most cases.

For example, NTT Docomo warned earlier this month about SMS messages that claim to have been sent from major parcel delivery firms like Sagawa Express Co. and Japan Post Co. notifying the recipient of an attempted delivery.

If you click the link in the SMS, you are prompted to install malware that looks very similar to the Google Chrome application, or to enter your bank account information at a website that looks very similar to the genuine site of a financial institution, Docomo said in a statement.

“It remains unclear how the cybercriminals got hold of the bank account information that led to the unauthorized usage, but they probably obtained the details via phishing scams or leaks from the organizations that own such information, or bought it in the underground market,” says Kazunori Yamahoka, a security specialist at Trend Micro Inc.

NTT Docomo Inc.'s e-money service accessed via a smartphone | KYODO
NTT Docomo Inc.’s e-money service accessed via a smartphone | KYODO

How much was stolen in total?

NTT Docomo said Thursday it had confirmed 189 incidents in which money was withdrawn unlawfully, with damages totaling about ¥28 million. The company has said that it will compensate all damages.

The value of wire transfers from banks was capped at ¥100,000 per transaction, with a monthly limit of ¥300,000. Some victims reported losses of ¥300,000, while at least one person suffered a loss of ¥600,000 over two months.

How is this different from last year’s Seven & I Holdings attack?

When the now defunct 7pay smartphone e-payment service was targeted, it was weak security features — including a lack of two-way authentication — that the hackers exploited, identifying those who used the same username and password for their 7pay login as for other online services.

Seven & I Holdings Co. says the attackers, armed with lists of stolen usernames and passwords, “stuffed” the credentials at the 7pay website tens of millions of times. When they succeeded in accessing an account, they then loaded funds from its linked credit cards and used the balance to make purchases in stores. The 7pay service, which was launched in July last year, was forced to be scrapped after only three months, with over ¥38 million stolen from more than 800 users’ accounts.

In the 7pay incidents, the victims opened their accounts themselves and were aware of the cybersecurity risk. But the NTT Docomo incidents came as a rude awakening for the victims because they had not used the service themselves.

NTT Docomo Inc. Senior Executive Vice President Seiji Maruyama (center) apologizes to people whose bank deposits were stolen using its e-money service, at a news conference at the company's headquarters in Tokyo on Sept. 10. | KYODO
NTT Docomo Inc. Senior Executive Vice President Seiji Maruyama (center) apologizes to people whose bank deposits were stolen using its e-money service, at a news conference at the company’s headquarters in Tokyo on Sept. 10. | KYODO

Is NTT Docomo scrapping the service now?

No. Despite the scandals, NTT Docomo has not halted the overall service, citing strong demand for its e-money offering. To strengthen security after the scams came to light, the company has stopped new applications from connecting bank accounts with the NTT Docomo service, and 29 of the 35 partner banks have barred their customers from sending money to Docomo accounts.

NTT Docomo says it plans to introduce online identity verification technology, also known as electronic know-your-customer (e-KYC), which requires use of the customer’s driver’s license as part of steps to strengthen cybersecurity.

How can individuals try to avoid being targeted in online scams?

“In general, people are encouraged to make periodic checks on the detailed statements of their bank accounts or credit cards to notice any unfamiliar money transfers, take advantage of a multiple-factor authentication service if it’s an option and cancel the online bank transfer service if it’s not necessary,” said Trend Micro’s Yamahoka.

PHOTO GALLERY (CLICK TO ENLARGE)