OnePlus customers reporting credit card frauds after making a purchase from official website [Updated]

Chinese smartphone brand OnePlus is very well known for making smartphones that pack a lot of punch while also being easy on customer’s wallet. However, the company is also known to find itself in hot waters often for different reasons – with the latest one being credit card frauds.

OnePlus-5T-Star-Wars-Limited-Edition-Hands-on-Images-7

Multiple OnePlus customers on the company’s official forums as well as Reddit are reporting of fraudulent activity with their credit cards after making a purchase from OnePlus’ official website. One such customer going by the name superdutynick has said that he purchased two OnePlus phones using two different credit cards last November, and recently, he was notified about suspicious fraudulent activities on both the credit cards that he used to make the purchase.

oneplus-credit-card-fraud-report-1

Well, soon after superdutynick posted this, other OnePlus customers too chimed in about similar activities on their credit cards after they purchased a product from OnePlus’ official website. Once this post gained traction, OnePlus Community Manager David Y. said that this issue has been brought to the notice of OnePlus Customer Service team and that they are investigating it. At the time of writing this, OnePlus hasn’t shared any further information regarding this matter.

Having said that, the folks over at Fidus – an information security firm – have looked into this matter and have said that OnePlus is currently using Magento eCommerce platform that is known for credit card hacking.

oneplus-credit-card-fraud-report-2

We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.wrote Fidus in a blog post.

At this point of time, there’s no information on the exact number of customers that have been affected, and, we are awaiting an official response from OnePlus which would shed more light on this matter.

Are you a OnePlus customer who purchased product from their official website using your credit card? If yes, we suggest you to go check your bank statements right away and see if you too have been affected.

Updated on January 16, 2018: OnePlus has responded on this matter and has posted an FAQ on their official forums. OnePlus in the FAQ has said that those users who are reporting of this issue have made payments using credit card directly on oneplus.net without involving any third party like PayPal.

Furthermore, OnePlus has also said that the customers’ credit card information isn’t stored on oneplus.net and is instead sent directly to their PCI-DSS compliant payment processing partner in an encrypted manner. Moreover, the company has also said that their website is HTTPS encrypted which makes it difficult for hackers to intercept the information in transit and inject any malicious code.

Speaking about the Magento bug, the company has said that they have been re-building their website since 2014 with custom code and they have never used Magento’s payment module for credit card payments, which means they should be unaffected by that vulnerability in Magento’s platform.

That said, the investigation about this issue is ongoing and if you think that your credit card information has been compromised, then you are advised to get in touch with your bank as soon as possible to prevent any loss of money. You can visit OnePlus Forums for more details.