After the deluge of phishing attacks coming out of China targeting Mobile Suica users and other JR East online services starting in late 2021, Japanese police made an arrest that finally shows us what Chinese criminals are doing with the stolen credit card information. Online reports of phishing attacks in Japan decreased after JR East and many other companies implemented one-time passcodes and other security measures as standard practice in 2023 but I suspect criminal operations simply moved the phishing target to mobile payment users in other markets like the UK (especially mobile app instant digital issue WISE and Revolut).
The reported scam worked like this: 2 Chinese nationals who were arrested, 25 and 30 year old ‘exchange students’ (probably more), each created multiple Google Mail accounts and linked them to multiple Mobile Suica accounts along with stolen credit card information recharging each Mobile Suica with ¥5,000 for a total of ¥80,000 loaded in multiple Mobile Suica accounts on multiple devices. The relatively small amount in each account helps because big fraud gets shut down quickly and reported to police (suspect we are talking Android Osaifu Keitai in this case, not Google Wallet or iPhone Apple Pay which have different security protocols to prevent identity theft and fraud).
The exchange students were directed to purchase cigarettes at a LAWSON convenience store in Shinjuku where the manager was also a Chinese national who has since escaped back to China. The Chinese manager allowed the cigarette sales to do done by self checkout, likely tampered with and strictly forbidden by LAWSON policy and Japanese laws. The fraudulently purchased cigarettes were left at the store then picked up by someone else and taken to China to be sold there. Over 10 months this criminal scheme reportedly netted ¥45 million.
The Japanese police haven’t given many details and I don’t think they ever will. However it’s important to examine a few key points:
- Nothing can be done to stop fraud when the store manager has compromised the payment system and the convenience store is being used as front for illegal self checkout purchases. And remember that convenience store managers are full time company positions that start around the ¥400,000 a month range plus bonuses and other benefits. LAWSON is at fault here and have a lot of explaining to do.
- Each Mobile Suica account has to reside on a different smartphone with its own SIM number which means an highly organized group illegally procures multiple phones and SIM cards.
- Linking a credit card to Mobile Suica requires a card security code. In other words EMV 3-D Secure doesn’t mean squat if people aren’t careful online with their card security code. This will always be the weak link of the security chain.
- If customs officials in China are looking the other way as lots of cigarette cartons pass through, Communist Party higher ups are involved.
- Adding money to Osaifu Keitai Mobile Suica with a credit card requires 3D Secure which is an SMS code sent to the cardholder, if it’s through Google Pay or Apple Pay there are even more stringent requirements on adding credit cards. I don’t see how the scam works as the window of opportunity is so small, unless cardholders were in on it in some way.
Following the reports, let’s say a WISE card user in the UK falls for a phishing scam, the Chinese criminals relay to the information to the operatives in Japan who link the stolen credit card into with a Mobile Suica account and add ¥5,000. The WISE card user terminates the card and is not charged but the e-money fraud is already laundered and ready for use.
The window of available use is short because once JR East gets notice of fraudulent activity from the credit card issuer they black list offending Mobile Suica card numbers in the payment network though these are things that JR East and credit card companies never freely talk about.
The central scam strategy is quick turnaround small fraud amounts with many different cards, less than 50 USD each. Low enough so that credit cards companies simply reimburse the amount to the card holder, issue them a new card and move on.
JR East has stated they will increase the security of Mobile Suica ID creation (again likely Osaifu Keitai as Apple ID / Apple Pay and Google Account / Google Wallet already have highly secure protocols). LAWSON has said nothing however and they are the party at fault here because of lax management and oversight. Their system should have flagged cigarette purchases at self-checkout points. At least we now have a better understanding of the reasons behind Apple Pay Enhanced Fraud Prevention and the Location Services ‘on’ requirement for using the iOS Welcome Suica Mobile app.
In short this is big, sophisticated criminal operation with many moving parts working together. It’s not going away. As always, be vigilant with your credit cards and personal information, especially online.
You must be logged in to post a comment.