One Plus Website's Payment System Got Hacked And Customers Credit Card Info Compromised

One Plus Website's Payment System Got Hacked And Customers Credit Card Info Compromised

Did you Purchase ONE Plus Mobile From its Website? Then Your Credit Card Info Might Have Been Compromised!

One Plus website is currently running on Magento eCommerce Platform, which is a common platform for eCommerce Websites where credit card transactions takes place. This has been noticed after their customers started using the company forum to report about fraudulent charges appearing on their credit card within a year of sharing their billing information with One Plus 5T. Approx 600+ comments have been made on Reddit in just a day.

CyberSecurity Firm Fidus discovered the vulnerability and explained,

“We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE,” the post reads. “This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.”

“While the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,”

One Plus given statement in its forum, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated.

One Plus clarifies that credit card info is never processed or saved on its website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.​

How to Protect ?

The safest option to prevent credit card fraud is to use an OFF-SITE payment processor, or a processor who offers iFrame integration with checkout pages. Third-party payment providers have created PCI compliant sandboxes for the very purpose of securely taking card payments; utilise it.

It is worth noting that whilst iFrame integration is a safer option that hosting the payment pages yourselves, it is vulnerable to JavaScript attacks. iFrame integration does however combat malicious code within Magento source code; such as Cc.php.

However, OnePlus official described, This matter is under investigation and we are working with our third-party providers to update you on this matter as soon as we find anything.