バンクペイも本人確認甘く　電子決済、安全策練り直し

Bankpay confirm identity eletronic payment, redesign for safety measures

DoCoMo announced the damage amount of illegal withdrawal on the 14th. The Japan Electronic Payment Promotion Organization (JEPPO), which operates a bank pay service led by a financial institution, also announced on the same day that it has stopped new usage registration. No damage has been confirmed as of the 14th. The doCoMo account has two major weaknesses. One is that you can open an account with just your email address. Many cashless businesses have adopted two-step authentication such as short message service (SMS) on smartphones to increase the strength of security.

The other is the lack of identity verification when linking to a bank account. At some regional banks, cooperation was possible only with the bank's account number, PIN, and name. PayPay, a major smartphone payment company, has introduced advanced mechanisms such as the face recognition service "eKYC" according to the security level of the bank, but DoCoMo accounts did not support it.

Bank Pay also required only an email address to register. Some banks did not use multiple-step authentication methods such as SMS for smartphones, and the security level was equivalent to that of DoCoMo accounts. There is also a voice saying, "It will be a cold water for the spread of cashless payments" (Financial Services Agency official). The Financial Services Agency will strengthen inspection and supervision of cashless businesses and banks in response to illegal withdrawals of bank deposits via DoCoMo. It has been pointed out that the remittance service that suffered damage this time had a weak identity verification system on both the business side and the bank side.

In future inspection work, we will ask the business operator to introduce advanced mechanisms such as two-step authentication and biometric authentication for identity verification of service users. Encourage local banks to strengthen measures so that confirmation procedures are not left to the business operator.

Many cashless businesses have adopted methods such as disposable "one-time passwords" for each use. By opening an account and using it every time, we have taken multiple safety measures. The fraudulent withdrawal of deposits from a doCoMo account does not mean that other cashless payments will have the same problem.

Source: https://www.nikkei.com/article/DGXMZO63816630U0A910C2EE8000/