OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment. Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."

This is where Paypal works

[Anonymous Coward]

This is exactly why, despite their other practices, I use paypal to buy things.
Sure, the company is shady in their own right, however I still trust PP more than most online retailers. So I pay with PP (or Amazon if that's a choice).

Re:

[Kenja]

Yes... no one's EVER reported fraud after using PayPal.

Re:

[cascadingstylesheet]

Yes... no one's EVER reported fraud after using PayPal.

It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But th

Re:

[scdeimos]

They'll refund it and get you a replacement card in a couple days at the most, assuming your information is stolen.

That's a complete lie. Yes, they might send you a replacement card in a week, but they take a full nine weeks to "investigate" the report of credit card fraud and refund the purchase amount if they agree. Speaking from experience here, thanks Visa.

Re:

[Thomas Charron]

That is COMPLETELY dependent on your card issuer. I've had several instances were my card needed to be reissued, including because of the Home Depot fiasco. A reputable company will credit your account as the investigation is taking place.

Re:

[parkinglot777]

Who cares? Tell your credit card company about the fraudulent purchase. Theyâ(TM)ll refund it and get you a replacement card in a couple days at the most, assuming your information is stolen. I accidentally bought an airline ticket for the wrong day once. Entirely my fault. American Airlines refused to refund my ticket (despite the fact that it was within the 24 hr grace period - I was unaware of the rule at the time, though).

Called my credit card company up the next day and told them what happened. Ticket was refunded.

You demonstrated a scenario where you abuse the privilege of credit card holder! It was your fault when you entered the wrong date, and you admitted it. There is no excuse for not knowing the rules. Regardless the time after buying the ticket, if they help you change the date, it would be nice of them (and good service). However, they have no obligation to do so and you can't be angry at them because it is still your fault. But what you did? Yes, you charged back the vender (in this case it is American Airl

Re:

[PixetaledPikachu]

Yes... no one's EVER reported fraud after using PayPal.

It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But they still can't keep using that token to go to Cancun or anything. Like they could with your CC number.

I would prefer something like Privacy [privacy.com] where you can create a burner card. Too bad it's not available in Indonesia. We do have similar solution for debit card. I can top up money to the card whenever I'm planning to do transaction, and pull the money back to the main account when I no longer need them. I can also destroy the card and ask for a new one, which will arrive at my doorstep in 3 business day

Re:This is where Paypal works

[Aighearach]

Paypal's range of services include CC processing that would be as dangerous as this, so maybe that is what you're thinking of.

I used to do web programming, including CC processing and paypal integration. That's why, if it is some small website without lots of public trust, I use paypal not CC. Because I understand the technical details.

I don't trust paypal nearly as much as I trust my bank, or as much as I trust my CC company. However, I trust random websites even less. Paypal successfully shields me from even needing to worry about the website's security, as long as I'm paying on the paypal website. There is nothing for the website to steal from me, they don't receive any information that can be used to authorize payments!

If all you can do is wave your hands and point out that the universe is imperfect, in response to a security situation, you might as well just leave your money in your wallet and set it on your front porch all night. Might be OK for long periods of time if you're on a quiet enough street. Might not, too. But after all, even things in a safe can be stolen, so same, right?

Re:

[thegarbz]

However, I trust random websites even less. Paypal successfully shields me

This is a breach of the early promise of online commerce. The promise was that online use of credit cards would be even safer than normal use and that the website never handled your details and no one ever saw your number. The problem here is that we left the implementation of this up to the websites themselves, and surprise surprise it was messed up.

I actually like the system for online payments with debit cards in The Netherlands, iDEAL. It is much the same as Paypal in that payment processing is handed o

Re:

[Aighearach]

No, you're just a young kid so why are you trying to tell us about the past? Some of us were there.

The promise was, "don't worry, it is safe to use credit cards online because you have fraud protection! It is as safe as mail order, don't be afraid!"

People don't heap shit on paypal because of way their technology is designed, the tech is good. People hate them because they're evil assholes and they freeze people's accounts and then steal their money. The part where they protect your transaction from the outs

Re:

[thegarbz]

No, you're just a young kid so why are you trying to tell us about the past? Some of us were there.

Err no I'm not, and I was there. Hell I even remember back when our credit cards were as arse backwards as the USA ones where stores took imprints rather than having you use a terminal.

The promise was, "don't worry, it is safe to use credit cards online because you have fraud protection! It is as safe as mail order, don't be afraid!"

Funny never got that message where I live. But then in my country we always had fraud protection. The specific instructions we got was that online was safer and less likely to be exposed to fraud.

People don't heap shit on paypal because of way their technology is designed

I never said they did, actually I said the opposite.

Re:

[HaydonBerrow]

Hear, hear. Some time ago paypal told me I had done 100 transactions and needed to confirm my bank details instead of using my credit card. I replied, but I don't remember how, that there was no way they were going to have my bank details and I would rather open a new paypal account. In the uk credit card payments are protected but I registered a dedicated credit card with a deliberately low limit with paypal.

Re:This is where Paypal works

[Hal_Porter]

Best thing to do is meet vendor in basement carpark with bag of small denomination used notes. Rent Makarov pistol, bullet proof moustache, greatcoat and ushanka from Savage Dmitri for duration of meeting in case of misunderstandings.

Re:

[ewibble]

That is exactly why we shouldn't use credit numbers at all and no one should no it. you should just insert into a reader, or use NFC on your credit card sign the transaction once with your public key. The bank knows your public key but not your private key, so not even staff at the bank with admin access can a transaction.

Re:

[nasch]

That is exactly why we shouldn't use credit numbers at all and no one should no it. you should just insert into a reader, or use NFC

That is tricky to do for online purchases.

Intercepted data?

[93 Escort Wagon]

if the problem didn’t arise due to the end-user (e.g. password reuse from some other compromised sites), a OnePlus server compromise seems more likely than data being intercepted in transit. Although I guess you could call that “intercepted data” too, in a manner of speaking.

pretentious?

[swell]

"OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website"
      or
"OnePlus customers report credit card fraud after buying from the company's website"

Which is easier to read? Which is pretentious? Why does Slashdot need to be pretentious? Year after year they assault us with these stupid 1920 style headlines that are hard to decode.

Re:

[wonkey_monkey]

You, I agree on this.

Re:

[HiThere]

If they hadn't capitalized "Company" I'd be wondering which company's website they bought the phone from. I'll grant you, though, it isn't exactly explicit.

Re:

[Lunix Nutcase]

Both are equally easy to read. What is supoosed to be difficult about reading the former?

Re:

[thegarbz]

Which is pretentious? Why does Slashdot need to be pretentious?

Why is it pretentious for a News site to follow a style guide specifically for News headlines? If you want to avoid style guides then jump on Buzzfeed, but what will happen next will amaze you! That is of course once you find the point of the article buried some 6 paragraphs in.

If I had to chose between pretentious and the cesspit of garbage that is millennial "news" written without style guides, then pass me the pipe young man.

Re:

[nasch]

Did you really find it difficult to understand the headline, or were you exaggerating for effect? Just curious.

Cash

[Rick Schumann]

Do you all see why it is I started using cash for everything I possibly can? Because 'data breaches' like this keep happening, and there's no end in sight.
For all in-person purchases possible I use cash.
The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do. If it gets compromised, cut it up and get another one.

Pre-emptive strike on (th

Re:

[Lunix Nutcase]

Last time I checked pretty much 0 websites accept cash as payment. And even if they did mailing cash is one of the dumbest things you can do. Enjoy that payment never making it to the other end.

Re:

[Rick Schumann]

Try reading what I wrote again, EVERY WORD this time, okay?

Re:

[Rick Schumann]

Useful advice, sans snarkiness and insults, on my Slashdot? Remarkable. I'll see if my CU does things like that. That *would* solve that part of the problem -- so long as that particular system is also secure from 'data breaches'. If they were able to get into a database that allowed them to see past the obfuscation then it wouldn't be much better than just using a normal CC. But it's worth investigating.

Transaction protection

[DrYak]

using cash for everything I possibly can? {...} For all in-person purchases possible I use cash.

Great idea, except that's going to be hard in a world where nearly all transaction with significant amount are done online.

At least where I live, most of the time in-person cash purchase are only used for transaction like buying coffee from the corner shop.
Want to pay rent ? e-banking money transfer.
Want to buy some big piece of equipment ? Credit-card, paypal or money-transfer. VERY few of the online shop send actual bill that you can pay at the post-office counter.
etc.

The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do.

...which is the way most decent credi

Re:

[nasch]

Questions out of curiosity not an attack. Do you write a lot of checks for stuff like utilities? Or do you do direct withdrawal? I could deal with cash + prepaid credit card (though I don't feel the need), but man writing checks sucks. Have you looked into paying by smartphone? I only know about Android but I think iOS works the same way. Only Google knows your credit card information, the merchant never sees it. If I understand right it isn't even stored on the phone. I haven't heard about any brea

Huh?

[a.koepke]

Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site

This doesn't make sense. When you enter your CC details into the form they haven't left your browser, unless there is some Javascript grabbing those details. If that is the case then the site has been compromised.

It's a young company and they make mistakes

[piojo]

But their intentions seem better than most companies. Can you imagine Samsung, LG, or Apple admitting possible fault and noting that they're investigating it? Not a chance, unless the issue was all over the news. The whole generation of LG G4 phones had a motherboard flaw which caused most of them to fry after six months, and LG didn't even affordable repair. You were totally out of luck, unless you bought it with a warranty. (Depending on the country, phones are sometimes sold without a warranty.) Manufacturer defects do not normally require a warranty--this is like when you buy a TV, take it home, and find it doesn't work the next day. But did LG do the right thing? No.

Another good example of fixing its mistake: when their Android O release was ready, the OTA installer accidentally made data hard to access/recover for users with an unlocked bootloader. In the next OTA update, they put a warning message in that explained what users with unlocked bootloaders should do to prevent problems. Another manufacturer would simply have decided those users don't matter because we're in the minority.

Re:

[nasch]

Didn't they also distribute phones with spyware preinstalled though?

Re:

[piojo]

Not that I recall. I think what it was was overzealous logging, or something like data that wasn't sanitized well enough. If you're remembering real malware, you're probably thinking of Lenovo computers.

Re:

[nasch]

I guess it's semantics, but this is what I'm referring to: http://www.androidpolice.com/2... [androidpolice.com]

Sounds like spyware to me.

Re:

[piojo]

It is semantics, but the difference is huge. Spyware doesn't consider privacy--it will collect everything it can, then use it in whatever way is profitable. Debugging diagnostics collect only what's most relevant for fixing errors, and the information isn't distributed. Spyware will also try to "break the rules", like gaining access to data it should not have access to (screenshots and keyloggers, for instance).

I expect some of the computer software I'm running to have analytics. But if I ever discover actu

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nasch]

What I would like is that either 2tier security, where they send me an SMS with a code to congirm

2FA is good, but not via SMS; that isn't secure.

https://www.theverge.com/2017/... [theverge.com]

flakey as hell

[Cederic]

In a poll of people that recently suffered credit card fraud, 100% of them had within the previous month been breathing air.

In a poll of Slashdot users, 100% of those that suffered credit card fraud had recently been using Slashdot.

Sorry but 'closed community finds out that the thing they share in common with people in that community is the community' is hardly fucking devastating evidence of something.

Re:

[nasch]

Why would OnePlus confirm there is a problem if it was just random coincidence?

CA

[Nelson Marques]

They take user privacy in such a regard that CA's blacklisted for issuing certs on behalf of google are trusted in their ROMs.