Initial Disclosure Date: Mar 31, 2014

Between March 25th and 27th, 2014, the website of a major Japanese credit card company, JCB, suffered login spoofing from specific IP addresses and JCB points were stolen from some of the affected users. The MyJCB website allows JCB card holders to check their usage details over the last eight months, confirm the amount of current points, and change their points to commercial goods. JCB started to suspended MyJCB services intermittently at 23:53 JST on March 25 and posted an online warning on the 27th. Although JCB believes that this incident was not caused by the hacking of their server, they have not found out how the IDs and passwords were stolen. JCB claims that they have seen less than 500 login spoofing incidents and some of which was used to change JCB points to T points. T Point Card holders can earn points based on how much money they spend on their card and they can use points to buy commercial products.^(footnote:1)

There have been several similar incidents over the last few months in Japan. For example, the website of the JAL Mileage Bank also faced login spoofing and some mileage points were changed to Amazon Gift Cards. Because people can use Amazon Gift Cards and iTune Cards online only with their card numbers, it is convenient for criminals to change those points to money as well. The T Point collaborates with Yahoo!ID on point services. Since people can register themselves for Yahoo!ID without ID check, criminals sometimes take advantage of it. As this type of incidents continue to occur for a while, it is crucial for users not to recycle the same password to log in different websites and check their points periodically.^(footnote:2)

Sources:

1. JCB, “Kaiin senyo WEB sabisu ‘MyJCB’ no go-annai [What our user only-services, MyJCB, are],”
   http://www.jcb.co.jp/myjcb/whats.html
   JCB, “’MyJCB’ heno husei akusesu ni tsuite [MyJCB was hacked],”
   http://www.jcb.co.jp/news/myj_20140327.html
   Hiroshi Mikami, “JCB ni husei roguin, T pointo heno kokan wo akuyo [JCB was hacked to steal points to change them to T points],” Yomiuri Shimbun, March 27, 2014,
   http://www.yomiuri.co.jp/it/security/goshinjyutsu/20140327-OYT8T00506.html
2. Security NEXT, “JAL mileage bank ni husei roguin  mairu wo Amazon gihuto ken ni kokan sareru [JAL Mileage Bank was hacked to change mileage points to Amazon gift cards],” February 2, 2014,
   http://www.security-next.com/46265
   Hiroshi Mikami, “JCB ni husei roguin, T pointo heno kokan wo akuyo [JCB was hacked to steal points to change them to T points],” Yomiuri Shimbun, March 27, 2014,
   http://www.yomiuri.co.jp/it/security/goshinjyutsu/20140327-OYT8T00506.html

※ Each company name, an organization name, and a brand name are a trade name of each company and each organization, or a registered trademark.