David Y., one of the OnePlus forum managers, said that this issue has been passed to the company’s ‘CS team’ and that ‘they will look into it ASAP.”
OnePlus has landed itself in a soup as many users have reported some fraudulent and unauthorised transactions made on the website using the credit card details. According to the complaints received on a poll conducted on the OnePlus forum, the users who had previously used their credit cards to make purchases on OnePlus website spotted some unauthorised transactions on the cards. OnePlus has officially addressed the issue in a forum post, where it said that the company started to investigate this as ‘a matter of urgency’, along with other guidelines for affected users.
A poll titled ‘Credit Card Fraud’ was conducted on the forum that garnered a huge response from the voters who said that they have witness fraudulent transactions ‘after a recent OnePlus purchase.’ Around 57 voters said that they made a purchase on the OnePlus website as early as two months back and have noticed unwarranted transactions. “Yesterday I was notified on one of the credit cards of suspected fraudulent activity, I logged onto credit card site and verified that there were several transactions that I did not make,” said one forum member, to which there are several positive responses.
Interestingly, the users are not restricted to a particular country as there are users from other countries reporting the same problem. “This morning (11th January 2018) I received a call from my bank, asking me about a fraudulent charge of 50 £ on one of the cards. It will be interesting to see if the second card will also be charged with possible fraud attempts,” said one member who claims to have placed two orders on the OnePlus website on January 9 and January 10.
OnePlus has acknowledged the issue and said that the company is conducting a ‘complete audit’ to know the cause. The company added that the credit card details of the customers are not stored on the website and sent to the PCI-DSS compliant payment processing partner over a secured connection. However, TelecomTalk that got the matter investigated by an information security firm Fidus, says that OnePlus is using the Magento e-commerce platform, which ‘is a common platform for credit card hacking.’
The firm further explains that the payment page hosted by OnePlus, which ‘requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.’