Apple Pay Suica recharge security block

JR East online services (Mobile Suica, JRE POINT, Eki-Net), along with many other online services that have accounts with credit cards, have been inundated with phishing attacks since the Russia-Ukraine situation erupted in February. It has gotten to the point that JRE POINT announced temporary security limitations on July 6: a temporary suspension of JRE POINT service recharge for Mobile Suica (via Suica App) and a 5,000 JRE POINT app barcode use limit per transaction (plastic JRE POINT card use remains unlimited). All JRE POINT services were later restored with new security enhancements.

There is another security limitation Apple Pay Suica users need to be aware of: credit/debit card recharge security block. This does not apply to cash recharge at station kiosks, convenience stores, 7-11 ATM, etc., but it can happen with multiple credit card recharges in a short period of time, i.e. heavy users. Unfortunately JR East does not reveal what conditions trigger a recharge security block that displays an error message: チャージをご利用できない状態です/ Recharge is not available. The Mobile Suica support page specifically states that JR East “cannot inform you about the conditions and contents of restrictions.” User reports suggest a general daily recharge limit between ¥5,000~¥10,000, however I think it also depends on the credit card issuer. My JR East JCB VIEW card for example has never run into any recharge limits in 5 years of heavy recharge use.

Apple Pay Suica recharge security block appears to be somewhat rare, but it is happening more with the recent Mobile Suica phishing attacks. In general Wallet app recharge tends to be more robust than Suica app recharge but security recharge block seems to affect all credit card recharge. The only user recourse appears to be contacting the card issuer or using the Mobile Suica member online Trouble Report Form (Japanese only). No word on Apple Pay PASMO but users should expect the same situation.

Mobile Suica registered account information can only be changed in Suica (iOS) and Mobile Suica (Android) apps by applying for an account update, it cannot be directly changed in the app, it cannot be changed via a web browser. This offers a level of account security but too many people fall for phishing emails. Even my internet savvy partner fell for a Mobile Suica phishing mail and have to get his credit card reissued.

The short term solution for JR East is to implement 2FA across all of their online services with a single login ID credential instead of the multiple service ID account mess we have now…hopefully soon. The longer term solution will be eliminating ID and password login altogether using Passkeys.