A lot of oneplus customers reported that their card; that was used to purchase a smartphone from the official website has been used for fraud transactions. On their official forum, now has a dedicated thread for credit card fraud issue with over 70 affected users over the last four months. These users have reported multiple instances. In response, one plus said that it is still trying to figure out the cause of this hack.
The first post on the forum thread was posted last week. After this update, a lot of buyers posted similar cases of fraud transactions done via their card as well. On their official blog, Oneplus posted on a Monday evening saying that they’ve begun the investigations “as a matter of urgency,” and at least acknowledge the affected users “made credit card payments directly on oneplus.net (without involving a third party such as PayPal).”
The company also said that “If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss.”. The statement makes it clear that the Chinese manufacturer won’t be bearing any losses.
About the investigation, the company has said that “working with our third-party providers, and will update you on our findings as they surface.”
Fidus Information Security, cybersecurity consultancy firm published a blog post that pointed out two issues that might be responsible in this matter. First, one being that the website isn’t in compliance with PCI. One plus also was incorrect in saying that they don’t handle card payments. Fidus also said that the website is built on Magento, which is a very common platform where credit card hacking takes place.
The company although didn’t agree with these concerns and said that all the credit card data is sent to PCI-DSS compliant payment processing partner. All this exchange takes place over an encrypted connection. The company didn’t address that its website is not PCI compliant.
The manufacturer although acknowledged that their website is built on Magento and also confirmed that they’re rebuilding the website on custom code. They said that credit card payments weren’t handled via the Magento payment module.