Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
The Almighty Buck Android Businesses Cellphones Crime

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 52

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website

Comments Filter:
  • by Anonymous Coward

    This is exactly why, despite their other practices, I use paypal to buy things.
    Sure, the company is shady in their own right, however I still trust PP more than most online retailers. So I pay with PP (or Amazon if that's a choice).

    • by Kenja ( 541830 )
      Yes... no one's EVER reported fraud after using PayPal.
      • Yes... no one's EVER reported fraud after using PayPal.

        It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

        I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But th

        • Yes... no one's EVER reported fraud after using PayPal.

          It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

          I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But they still can't keep using that token to go to Cancun or anything. Like they could with your CC number.

          I would prefer something like Privacy [privacy.com] where you can create a burner card. Too bad it's not available in Indonesia. We do have similar solution for debit card. I can top up money to the card whenever I'm planning to do transaction, and pull the money back to the main account when I no longer need them. I can also destroy the card and ask for a new one, which will arrive at my doorstep in 3 business day

      • by Aighearach ( 97333 ) on Monday January 15, 2018 @07:58PM (#55935255) Homepage

        Paypal's range of services include CC processing that would be as dangerous as this, so maybe that is what you're thinking of.

        I used to do web programming, including CC processing and paypal integration. That's why, if it is some small website without lots of public trust, I use paypal not CC. Because I understand the technical details.

        I don't trust paypal nearly as much as I trust my bank, or as much as I trust my CC company. However, I trust random websites even less. Paypal successfully shields me from even needing to worry about the website's security, as long as I'm paying on the paypal website. There is nothing for the website to steal from me, they don't receive any information that can be used to authorize payments!

        If all you can do is wave your hands and point out that the universe is imperfect, in response to a security situation, you might as well just leave your money in your wallet and set it on your front porch all night. Might be OK for long periods of time if you're on a quiet enough street. Might not, too. But after all, even things in a safe can be stolen, so same, right?

        • However, I trust random websites even less. Paypal successfully shields me

          This is a breach of the early promise of online commerce. The promise was that online use of credit cards would be even safer than normal use and that the website never handled your details and no one ever saw your number. The problem here is that we left the implementation of this up to the websites themselves, and surprise surprise it was messed up.

          I actually like the system for online payments with debit cards in The Netherlands, iDEAL. It is much the same as Paypal in that payment processing is handed o

        • Hear, hear. Some time ago paypal told me I had done 100 transactions and needed to confirm my bank details instead of using my credit card. I replied, but I don't remember how, that there was no way they were going to have my bank details and I would rather open a new paypal account. In the uk credit card payments are protected but I registered a dedicated credit card with a deliberately low limit with paypal.
    • by Hal_Porter ( 817932 ) on Monday January 15, 2018 @06:54PM (#55934953)

      Best thing to do is meet vendor in basement carpark with bag of small denomination used notes. Rent Makarov pistol, bullet proof moustache, greatcoat and ushanka from Savage Dmitri for duration of meeting in case of misunderstandings.

    • That is exactly why we shouldn't use credit numbers at all and no one should no it. you should just insert into a reader, or use NFC on your credit card sign the transaction once with your public key. The bank knows your public key but not your private key, so not even staff at the bank with admin access can a transaction.

  • if the problem didn’t arise due to the end-user (e.g. password reuse from some other compromised sites), a OnePlus server compromise seems more likely than data being intercepted in transit. Although I guess you could call that “intercepted data” too, in a manner of speaking.

  • by swell ( 195815 ) <jabberwock AT poetic DOT com> on Monday January 15, 2018 @06:56PM (#55934965)

    "OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website"
          or
    "OnePlus customers report credit card fraud after buying from the company's website"

    Which is easier to read? Which is pretentious? Why does Slashdot need to be pretentious? Year after year they assault us with these stupid 1920 style headlines that are hard to decode.

    • You, I agree on this.

    • by HiThere ( 15173 )

      If they hadn't capitalized "Company" I'd be wondering which company's website they bought the phone from. I'll grant you, though, it isn't exactly explicit.

    • Both are equally easy to read. What is supoosed to be difficult about reading the former?

    • Which is pretentious? Why does Slashdot need to be pretentious?

      Why is it pretentious for a News site to follow a style guide specifically for News headlines? If you want to avoid style guides then jump on Buzzfeed, but what will happen next will amaze you! That is of course once you find the point of the article buried some 6 paragraphs in.

      If I had to chose between pretentious and the cesspit of garbage that is millennial "news" written without style guides, then pass me the pipe young man.

  • Cash (Score:2, Interesting)

    Do you all see why it is I started using cash for everything I possibly can? Because 'data breaches' like this keep happening, and there's no end in sight.
    For all in-person purchases possible I use cash.
    The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do. If it gets compromised, cut it up and get another one.

    Pre-emptive strike on (th
    • Last time I checked pretty much 0 websites accept cash as payment. And even if they did mailing cash is one of the dumbest things you can do. Enjoy that payment never making it to the other end.

      • Try reading what I wrote again, EVERY WORD this time, okay?
    • using cash for everything I possibly can? {...} For all in-person purchases possible I use cash.

      Great idea, except that's going to be hard in a world where nearly all transaction with significant amount are done online.

      At least where I live, most of the time in-person cash purchase are only used for transaction like buying coffee from the corner shop.
      Want to pay rent ? e-banking money transfer.
      Want to buy some big piece of equipment ? Credit-card, paypal or money-transfer. VERY few of the online shop send actual bill that you can pay at the post-office counter.
      etc.

      The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do.

      ...which is the way most decent credi

  • Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site

    This doesn't make sense. When you enter your CC details into the form they haven't left your browser, unless there is some Javascript grabbing those details. If that is the case then the site has been compromised.

  • But their intentions seem better than most companies. Can you imagine Samsung, LG, or Apple admitting possible fault and noting that they're investigating it? Not a chance, unless the issue was all over the news. The whole generation of LG G4 phones had a motherboard flaw which caused most of them to fry after six months, and LG didn't even affordable repair. You were totally out of luck, unless you bought it with a warranty. (Depending on the country, phones are sometimes sold without a warranty.) Manufact

  • What I would like is that either 2tier security, where they send me an SMS with a code to congirm, is either the persons choice or obligatory for every purchase.
    At this moment it is not. It is up to the merchant. That together with a PIN would make it very hard to use the card, even if you have the number.
    I already have 'save CC details' off where I can.

  • In a poll of people that recently suffered credit card fraud, 100% of them had within the previous month been breathing air.

    In a poll of Slashdot users, 100% of those that suffered credit card fraud had recently been using Slashdot.

    Sorry but 'closed community finds out that the thing they share in common with people in that community is the community' is hardly fucking devastating evidence of something.

  • They take user privacy in such a regard that CA's blacklisted for issuing certs on behalf of google are trusted in their ROMs.

Imitation is the sincerest form of plagarism.

Working...