Multiple OnePlus customers claim incidents of fraudulent credit card transactions, after purchasing products from official website

Update: OnePlus has issued an official statement in response to these complaints. The response covers all the questions that users may want to ask the company including the steps to undertake if anyone gets to know about fraud transactions from their account.

OnePlus customers, on its official forums, have begun reporting incidents of credit card fraud after using their cards for purchasing gear on the OnePlus website.

OnePlus 5T.

The OnePlus 5T.

Seems like the year 2018 is bringing plenty of bad luck for OnePlus and its customers. While the popular smartphone brand started the year with a bang, announcing not one but two new variants of its OnePlus 5T smartphones, fans will also be happy (or unhappy) to know that the next OnePlus 6 will arrive as soon as June.

But there have been several problems with software updates lately, and now there appears to be a major issue to do with the OnePlus checkout system on its official website.

In what looks like a ‘man in the middle attack’, hackers seemed to have siphoned off credit card details of users and have recently started spending (rather lavishly) at various establishments swiping away transactions between Rs 15,000 to Rs 1,00,000 (approximately).

After a forum user and customer reported the incident on 11 January, there have been 7 pages of comments with other OnePlus customers and forum members reporting the same.

While this may seem like a one-off incident of credit card fraud, it’s anything but that. This is because several customers, some of whom have solely used a new card just to buy the smartphone on the OnePlus website, have started noticing fraudulent activity.

A particular customer reported that he eventually had to block his new card because of repeated attempts to use the credit card for various payments.

Forum users have now taken to Reddit to alert others about the fraudulent transactions, which has attracted 642 comments in the past 19 hours.

Fidus Information Security, a security penetration testing company, claims that it is in fact a clear case of a hack of the payment process on the OnePlus website.

Researchers at Fidus explain that OnePlus uses the Magento eCommerce Platform, which is reportedly a common target for credit card hacks.

The image highlights exactly where an attacker is able to compromise raw credit card data. Image: Fidus Information Security

The image highlights exactly where an attacker is able to compromise raw credit card data. Image: Fidus Information Security

The problem occurs because of payment page “which requests the customer’s card details is hosted ON-SITE and not on an iFrame by a third-party”.

This allows the credit card details to be briefly stored on the website before being sent off to a third-party payment provider. This brief moment is enough for a hacker to intercept and store the credit card details.

Fidus also made clear that OnePlus website does not appear to be PCI compliant, and that their claim of not handling any card payments on the website, is incorrect.

Additionally, the team at Fidus also pointed another blog by Sucuri (posted in 2015), which explains that a Magento e-commerce website can result in an immediate loss of money.

As for all those who have made payments using their credit card on the OnePlus website, you will need to go through your transaction details over the past few weeks to check if there have been any fraudulent transactions. Currently, this issue only seems to have affected users from Europe and parts of the US. We have not come across any Indian users who have reported this issue, but since this is a developing story, we cannot say for sure how widespread the issue is.

We have contacted OnePlus India for an official comment and we will update this article once we receive a response from the smartphone brand.

Published Date: Jan 15, 2018 12:30 PM | Updated Date: Jan 15, 2018 20:18 PM