OnePlus doesn't seem to be catching a break. The company has been dealing with a number of security issues in the past few months. From alleged backdoors to storing a lot of user information, the company is now in the middle of another security issue. The problem was first highlighted over the weekend on Twitter, Reddit, and OnePlus forums where many users reported their credit card details have been stolen as someone is using their payment information on betting and gaming websites.
"I purchased two phones with two different credit cards, first on 11-26-17 and second on 11-28-17," one user wrote. "Yesterday I was notified on one of the credit cards of suspected fraudulent activity, I logged onto credit card site and verified that there were several transactions that I did not make."
I do not use either of those credit cards frequently. The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website. I am not too worried about it, I have fraud protection on all of my cards.
I am not accusing OnePlus, and I do love my phone... just the only similarity I could find between the 2 cards. I just want to make everyone aware so that they can check there statements for any unauthorized transactions, incase OnePlus was breached.
This initial report was followed by a number of OnePlus users who said they were also a victim of credit card fraud. Many explained that this happened only after they shopped directly from the OnePlus official website, which indicated that the leak might have been through the company itself.
However, OnePlus in a quick PR move, released a statement early Monday morning clearing that it doesn't and cannot store payment details of its users. "Your card info is never processed or saved on our website", OnePlus wrote. "It is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers."
It added that even if a consumer goes for the "Save my card for future transactions" option, the company only receives "a few digits" from its payment processing partners.
While OnePlus suggests that the company doesn't store payment details of its customers, security researchers claim that the company has one major flaw in how payments are processed.
"The payment page which requests the customer’s card details is hosted ON-SITE," security researchers at Fidus wrote. "This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker."
Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted.
This means that an attacker who had hacked into the website gaining access to this page could be potentially able to inject malicious code to steal data.
OnePlus releases a FAQs list - says contact your bank
"At OnePlus, we take information privacy extremely seriously," the company said in its statement earlier today. "Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated."
The company has answered some questions in its statement and has advised users to contact their bank to resolve any suspicious charges. "They will help you initiate a chargeback and prevent any financial loss," the company wrote.
While right now it appears like yet another company is trying to put blame on someone else, OnePlus did say that this is an ongoing investigation, which means the statement and the results could change. In the meantime, it would be wise not to shop from OnePlus directly. It should be noted, however, that OnePlus continues to respond almost immediately to all such security incidents. If you believe you have been affected, head over to OnePlus for details, but ultimately only your bank will be able to help you out.