OnePlus has temporarily disabled direct credit card payments on oneplus.net as it investigates a credit card fraud situation affecting many customers.
Over the weekend, many OnePlus customers reported unknown credit card transactions occurring on their credit cards after making a purchase on oneplus.net. On its community forums on Monday, OnePlus posted to let its customers know that it is investigating the issue “as a matter of urgency.”
According to OnePlus and many of its forum commenters, the issue affects certain customers who made credit card payments directly on oneplus.net, not through PayPal. Though initially OnePlus left up direct credit card payments, as of Tuesday January 16th, it is now only offering PayPal for payments and notes it is “exploring alternative secure payment options.”
OnePlus’ e-commerce site was initially built on the Magento eCommerce platform, giving rise to fears that it’s affected by the Magento bug. However, OnePlus says it’s been rebuilding since 2014 with custom code and credit card payments were never implemented in Magento’s payment module, so it’s likely not that bug that’s affecting customers.
It also notes: “Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code,” and adds that the “save this card for future transactions” feature only saves a few digits plus along with a token made out of a random string of symbols. Still, the manufacturer says it is conducting a complete audit, inspecting all elements to find the source of this issue.
Information security website Fidus has a theory on how the breach might have happened, however, noting the payment page which requests the customer’s card details is hosted on-site, meaning all payment details flow through the OnePlus website and can be intercepted by an attacker.
“Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus reports.
OnePlus recommends any customers who feel they may have been affected — likely those who have made recent purchases through oneplus.net, according to the reports — check their card statement and contact their bank to resolve any suspicious charges.
The company says it’s working with “third-party providers,” involved in their online store, and will update with findings “as they surface.”
Update 16/01/18: OnePlus says it is now temporarily disabling credit card payments at oneplus.net, though PayPal is still available. It also notes it is exploring alternative secure payment options with its service providers. The story has been updated accordingly.
This story was also updated with a report from information security website Fidus.