Recently, there have been concerns over security vulnerabilities in WeChat Pay. A netizen from Guizhou province in China reported that a stranger from another location managed to activate facial recognition payment on their account and made a payment of 106.64 yuan (RMB). Surveillance footage showed that the fraudster successfully entered the last four digits of the victim’s phone number to complete the verification, sparking widespread discussions on the incident.
On January 12th at 6:48 pm, the netizen, Zhang Lan (pseudonym), received notifications on WeChat indicating that “in-store facial recognition payment activation was successful” and “WeChat payment successful”. Zhang Lan later discovered that a stranger in Anhui province, specifically in the Jinse Hualian Supermarket in Bozhou, successfully made a payment of 106.64 yuan through facial recognition on her WeChat account. She promptly reported the incident to WeChat Pay and filed a police report.
Zhang Lan investigated the CCTV footage from the store and found that the fraudster did not resemble her at all. Additionally, her phone number was obtained during her school enrollment, never changed, and she had not activated the facial recognition payment feature on WeChat in the first place.
On the evening of January 14th, WeChat Pay officially refunded Zhang Lan the 106.64 yuan that was unlawfully deducted from her account.
In response to the incident, Tencent stated on the 15th that user payments require dual verification through phone number and facial recognition, and they are currently in communication to verify the specific circumstances. To prevent further losses for users, full compensation has been provided in advance. They advised users to contact WeChat Pay customer service team if they encounter similar situations.
On January 17th, the topic of “WeChat users being illegally charged through facial recognition from remote locations” trended on social media platforms.
The incident has stirred heated discussions online. Some netizens commented, “It’s really scary! The girl didn’t even activate the facial recognition feature!” “The loophole is too significant.” “This indicates severe personal information leakage. If the other party knows the last four digits of the phone number, it means information has been exposed.”
Several netizens shared their own encounters with similar situations. One individual said, “I bought a drink from an automated vending machine, and the money was deducted right after I scanned my face! I remember not activating this feature, so I immediately turned off the payment without a password option.”
“Money from my father’s phone WeChat account in our rural area was drained, along with the funds from a bank card,” another netizen explained. “After checking the WeChat records, there were purchases of goods worth 10,000 yuan using Apple Pay on JD.com, as well as multiple transfers of several hundreds. The bank card was used for numerous small transactions, but my father claimed it was not linked to that account. He didn’t disclose the payment password to anyone. However, after reporting to the authorities, there has been no update so far.”