Initial Disclosure Date: Mar 31, 2014
Between March 25th and 27th, 2014, the website of a major Japanese credit card company, JCB, suffered login spoofing from specific IP addresses and JCB points were stolen from some of the affected users. The MyJCB website allows JCB card holders to check their usage details over the last eight months, confirm the amount of current points, and change their points to commercial goods. JCB started to suspended MyJCB services intermittently at 23:53 JST on March 25 and posted an online warning on the 27th. Although JCB believes that this incident was not caused by the hacking of their server, they have not found out how the IDs and passwords were stolen. JCB claims that they have seen less than 500 login spoofing incidents and some of which was used to change JCB points to T points. T Point Card holders can earn points based on how much money they spend on their card and they can use points to buy commercial products.(footnote:1)
There have been several similar incidents over the last few months in Japan. For example, the website of the JAL Mileage Bank also faced login spoofing and some mileage points were changed to Amazon Gift Cards. Because people can use Amazon Gift Cards and iTune Cards online only with their card numbers, it is convenient for criminals to change those points to money as well. The T Point collaborates with Yahoo!ID on point services. Since people can register themselves for Yahoo!ID without ID check, criminals sometimes take advantage of it. As this type of incidents continue to occur for a while, it is crucial for users not to recycle the same password to log in different websites and check their points periodically.(footnote:2)
Sources:
日立システムズは、システムのコンサルティングから構築、導入、運用、そして保守まで、ITライフサイクルの全領域をカバーした真のワンストップサービスを提供します。