Aeon and NHK had an interesting tussle recently over an NHK report of credit card fraud. Japanese news media reported yet another cigarette fraud purchase scandal similar to the recent Chinese criminal group one using Mobile Suica. Only this one was a Vietnamese group using stolen credit card information on burner smartphones making small purchases with the iD payment network. Many media outlets got the basic story wrong like the Japan Times:
Tokyo police have arrested five people for alleged fraudulent purchases of heated tobacco products with stolen credit card information at a convenience store in the city.
The suspects include Mitsuyoshi Ugajin, the 50-year-old owner of the convenience store in Shinjuku Ward, and Pham Thi Thanh Hang, a 26-year-old Vietnamese national.
The five were arrested by the Metropolitan Police Department on suspicion of buying some 2,800 boxes of heated tobacco products, worth about ¥1.64 million, at the convenience store using the Apple Pay iD contactless payment service over 167 times from Nov. 8 to 10 last year.
At the convenience store, similar incidents occurred from May to November 2024, causing some ¥100 million in damage, according to people familiar with the investigation.
Credit card information of 148 people, believed to have been stolen through phishing, had been registered to the payment service installed on smartphones. The suspects apparently aimed to resell heated tobacco products overseas.
Offline payment, whose inappropriate use is unstoppable when smartphone signals are cut, was used for the crime. The purchases were limited to less than ¥10,000 each.
The fraudulent purchases came to light when Aeon Financial Service, the issuer of the credit cards involved, consulted the police.
In March this year, Aeon Financial said that credit card fraud using offline payment had drastically increased since spring last year, leaving tens of thousands of customers facing ¥9.9 billion in damage in total.
No damage has been confirmed since Aeon Financial has taken new preventive measures, according to the company.
Japan Times, May 15
The Japan Times and many other Japanese media fudged an important point, the ‘offline payment is unstoppable when smartphone signals are cut’ bit, because they have no idea what an embedded secure element (eSE) is and does. Payment card information is on the device eSE, just like it is in a plastic card chip. A card payment transaction has nothing to do with the smartphone being connected to a network.
An offline transaction is all about the merchant side payment reader, not the smartphone. The merchant reader connects with the payment network to verify card status and proceed with a valid transaction. Offline transactions are intended those times when the payment network is unavailable so that small purchase amounts can be made until the merchant system reconnects with the payment network.
What the convenience store manager (Ugajin is known as a yakuza name btw) did was switch the store payment reader to offline mode so that Vietnamese operatives could use the offline payment terminal for 2 hours making multiple small purchases with multiple smartphones. As with similar recent fraud cases, when the merchant payment system is in on the fraud, fraud is going to happen. The real story here however was the stolen credit card info was from AEON cards. And NHK got the story right pointing out that this has been a AEON card problem with phishing victims still being charged for offline purchases with a compromised card even after canceling it. Criminals know this.
NHK called it a AEON card system error. AEON shot back with a press statement saying the NHK News 7 story was incorrect and that the system error had been fixed. NHK didn’t reply but took down the online video version that was correct, replacing it with a puff word piece towing the incorrect Japanese legacy media narrative that the culprit was Airplane Mode after all.
Here’s the thing, people have been complaining about AEON card offline ‘why am I still being charged after canceling the card?’ problem for years. Others were pointing out the potential abuse of offline payments too. Maybe the problem is really fixed now but AEON should have aggressively addressed their offline payment issues years ago. Like all things these days, problems are not problems until the people who decide these things decide they are ‘problems’. Which begs the question, was it really a problem to those people in the first place?
You must be logged in to post a comment.