A message on the website of Chugoku Bank, based in Okayama, says funds were illicitly transferred from an account at the bank to account in NTT Docomo Inc.’s electronic payment system. (The Asahi Shimbun)
NTT Docomo Inc. suspended linking its electronic payment service to regional banks after the system was manipulated to siphon money from accounts at the banks in a barrage of illicit withdrawals, the mobile carrier announced Sept. 9.
The suspension involved 17 regional banks across Japan.
Japan Post Bank said the same day that it has halted new registrations of its accounts to NTT Docomo’s system after media reports on illicit withdrawals at regional banks. It urged customers to alert it if irregular transactions had occurred.
It is not yet clear how many unauthorized withdrawals occurred or how much was stolen.
NTT Docomo acknowledged that its system for confirming customers’ identities was inadequate and said it will increase security to prevent a recurrence.
Its electronic payment service allows users to do online shopping and transfer money using their smartphones.
To use the service, people need to open their Docomo account and link it to their bank account.
They can then charge their Docomo account with funds in their bank accounts to make payments and transfer money online.
The regional banks that NTT Docomo has suspended linking to its electronic payment system are: 77 Bank, Chugoku Bank, Ogaki Kyoritsu Bank, Aeon Bank, Senshu Ikeda Bank, Oita Bank, Kiyo Bank, Shiga Bank, Sendai Bank, Daisan Bank, Tajima Bank, Tottori Bank, North Pacific Bank, Michinoku Bank, Iyo Bank, Toho Bank and Bank of the Ryukyus.
The banks have reported unauthorized withdrawals from customers’ bank accounts to unfamiliar accounts in NTT Docomo’s electronic payment service and other suspected cases.
Earlier in September, 77 Bank investigated a complaint about a money transfer that a customer said was not authorized, and discovered that funds had been illegally siphoned out of the account.
Bank officials suspect that deposits in the customer’s account were transferred to an account of a third party in NTT Docomo’s electronic payment service with the use of stolen data, including the customer’s bank account number and personal identification number.
The bank said it has also received reports of similar cases from other customers and that up to hundreds of thousands of yen were stolen in illegal withdrawals.
Bank officials reported the suspected fraud to Miyagi prefectural police and are continuing their own investigation into the incidents.
But 77 Bank said it had found no sign of bank account numbers or other data being leaked from the bank’s system.
Meanwhile, NTT Docomo allows customers to open accounts for its electronic payment service by giving just their email address and name. No measures are in place to confirm whether the name is legitimate or fake.
The lax security apparently helped thieves to easily pose as account holders at the regional banks.
The names of customers, along with their bank account number, personal identification number, date of birth and other information are believed to have been stolen in one way or another at regional banks in the recent spate of suspected illicit withdrawals.
The link between NTT Docomo’s electronic payment system and that of regional banks was exploited by at least one perpetrator, who used it to open a Docomo account under the name of a customer who had an account at a bank. The thief then used it to extract money from the bank.
To prevent future abuse of its payment system, NTT Docomo will add a security step requiring customers to confirm their identity using the short message system on their mobile phone when they open an account.
As precaution against theft, some banks oblige customers to enter more than one personal identification number and password.
Experts say regional banks were targeted in the recent frauds as they lacked such security safeguards.
To read the original article:http://www.asahi.com/ajw/articles/13711367