OnePlus Probing Credit Card Fraud Complaints
Report ADAM ISMAIL
If you purchased something from OnePlus’ website over the last few months — perhaps a shiny new OnePlus 5T — you’re going to want to closely monitor your credit card statements over the coming weeks.
OnePlus is currently responding to complaints from at least 170 customers who encountered fraudulent charges on their credit accounts shortly after buying items on the OnePlus website.
The customer concerns emerged over this past weekend, and the issues seem to be limited to those who completed purchases directly on the OnePlus site, without using third parties such as PayPal. According to OnePlus, customer payment information is never stored on its own site, but forwarded to a payment partner, where it is processed on a secure server.
Based on a poll on OnePlus’ community forums, the bulk of the breaches appear to be stemming from transactions done in the last two months, with a few users here and there reporting fraud that occurred earlier — though it’s unclear how connected those instances are to OnePlus’ site.
What To Do If You're Affected
The advice for anyone who's bought something from OnePlus in the past couple of months is straightforward: Check your payment-card statements (including the most recent transactions, which you can check online or over the phone) and report anything suspicious to your card issuer. (For Visa and MasterCard, the issuer is the bank printed on the card.) You're almost certainly off the hook for any fraudulent use as long as you report what you've seen right away.
OnePlus has since posted an FAQ on its forums explaining everything the company knows about what happened, while urging customers to get in touch if they have any comments or concerns. In the meantime, the company has suspended all credit card payments (although PayPal is still available) and posted the following response:
"At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
We’ve reached out to OnePlus for additional comments, and will update this article when we receive a reply.
MORE: OnePlus 5T Can't Stream Netflix in HD, Fix Promised
Interestingly, the FAQ acknowledges a potential flaw in OnePlus’ commerce system. The company previously utilized the Magento e-commerce platform, which was attacked several years ago by a keylogger known as Magecart. OnePlus says it began moving away from Magento before that breach, and never used Magento for credit cards in the first place.
However, while OnePlus claims customer data is never saved on its website, an independent audit by Fidus Information has revealed that some information is kept, albeit briefly, on OnePlus’ own servers before it’s pushed to its payment partner.
Because the payment form is hosted by OnePlus, Fidus says attackers are able to capture the content of form fields with clever JavaScript, despite the fact that none of the processing actually happens on OnePlus’ end.
For OnePlus, this breach is the latest in a line of recent security snafus. In October, the company was discovered to have been collecting identifiers and usage data from phones and sending them to servers in China without customers' knowledge. A month later, a low-level diagnostics app labeled EngineerMode was found on all of OnePlus' handsets, allowing attackers to collect a wealth of information should they get their hands on a device.
No comments:
Post a Comment