OnePlus to conduct ‘complete security audit’ following credit card fraud reports

After a number of its customers flooded the internet to complain that their credit card information was stolen after making a purchase on OnePlus’ official website, the Chinese smartphone maker has responded to allegations that a flaw in its payment processing left shoppers vulnerable to credit card fraud.

Over the weekend, more than 60 customers took to the firm’s forum to report instances of fraudulent charges appearing on their card within a year of sharing their billing information with the OnePlus 5T maker. A similar thread on Reddit gained more than 670 comments in just a day.

Subsequently, OnePlus issued a detailed statement on its credit card security practices on its website in which the company says it is “investigating every report” of fraud. It also seemed to deny that it was still using the Magento e-commerce platform, which was at the heart of the vulnerability – according to Finnish cyber security firm Fidus – but added that it was conducting a wholesale security audit.

OnePlus states:

Oneplus.net was initially built on the Magento eCommerce platform. However, since 2014 we have been re-building the entire website with custom code, and credit card payments were never implemented in Magento’s payment module at all. So no, we shouldn’t be affected.​

Payment fraud is a perennial concern with all online payments. If you notice suspicious charges in your card statement, contact your bank immediately so they can reverse the payment. Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit.​

Fidus, however, found that OnePlus asks customers to hand over their card details before they’re transferred to Magento – a third-party payment processor – to be debited when it tried to complete a mock purchase.

“While the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus explained.

 

The company also notes that Magento’s e-commerce platform has a history of leaking data, so the issue is unlikely to be unique to OnePlus, and recommends that companies either use an off-site payment processor, or integrate one directly into their own website.

We’ve reached out to OnePlus for direct comment and will update this post if we hear back.

Did you notice any suspicious transactions on your credit card statement after purchasing something from OnePlus’ online store? Let us know on Twitter @TrustedReviews.

Privacy Settings