OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment. Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."

âoe

â

Re: âoe

I wouldn't know. Last I checked, OnePlus still don't ship to Australia. As if we're a shithole country or something! Fortunately we now have Amazon.

Re: âoe

Did it come prepackaged with fat americans?

Re:Not surprised

To be fair, if you bought Apple you have already been scammed. No point in scamming someone twice.

This is where Paypal works

This is exactly why, despite their other practices, I use paypal to buy things.
Sure, the company is shady in their own right, however I still trust PP more than most online retailers. So I pay with PP (or Amazon if that's a choice).

Re:This is where Paypal works

[Kenja]

Yes... no one's EVER reported fraud after using PayPal.

Re:This is where Paypal works

[Hal_Porter]

Best thing to do is meet vendor in basement carpark with bag of small denomination used notes. Rent Makarov pistol, bullet proof moustache, greatcoat and ushanka from Savage Dmitri for duration of meeting in case of misunderstandings.

Re:This is where Paypal works

True, it's the way payments should work. The retailer shouldn't have the ability to charge any random amount they wish, nor should a hack allow someone else to charge any random amount with no approval. It would almost make more sense to carve a rock and send it in the mail as a form of payment.

I log into my payment provider -> send payment to retailer -> they approve or deny

No recurring billing, no shady shit.

Re:This is where Paypal works

[ewibble]

That is exactly why we shouldn't use credit numbers at all and no one should no it. you should just insert into a reader, or use NFC on your credit card sign the transaction once with your public key. The bank knows your public key but not your private key, so not even staff at the bank with admin access can a transaction.

Re:This is where Paypal works

[cascadingstylesheet]

Yes... no one's EVER reported fraud after using PayPal.

It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But they still can't keep using that token to go to Cancun or anything. Like they could with your CC number.

Re: This is where Paypal works

Who cares? Tell your credit card company about the fraudulent purchase. Theyâ(TM)ll refund it and get you a replacement card in a couple days at the most, assuming your information is stolen. I accidentally bought an airline ticket for the wrong day once. Entirely my fault. American Airlines refused to refund my ticket (despite the fact that it was within the 24 hr grace period - I was unaware of the rule at the time, though).

Called my credit card company up the next day and told them what happened. Ticket was refunded.

Re:This is where Paypal works

[Aighearach]

Paypal's range of services include CC processing that would be as dangerous as this, so maybe that is what you're thinking of.

I used to do web programming, including CC processing and paypal integration. That's why, if it is some small website without lots of public trust, I use paypal not CC. Because I understand the technical details.

I don't trust paypal nearly as much as I trust my bank, or as much as I trust my CC company. However, I trust random websites even less. Paypal successfully shields me from even needing to worry about the website's security, as long as I'm paying on the paypal website. There is nothing for the website to steal from me, they don't receive any information that can be used to authorize payments!

If all you can do is wave your hands and point out that the universe is imperfect, in response to a security situation, you might as well just leave your money in your wallet and set it on your front porch all night. Might be OK for long periods of time if you're on a quiet enough street. Might not, too. But after all, even things in a safe can be stolen, so same, right?

Re: This is where Paypal works

[scdeimos]

They'll refund it and get you a replacement card in a couple days at the most, assuming your information is stolen.

That's a complete lie. Yes, they might send you a replacement card in a week, but they take a full nine weeks to "investigate" the report of credit card fraud and refund the purchase amount if they agree. Speaking from experience here, thanks Visa.

Re: This is where Paypal works

[Thomas+Charron]

That is COMPLETELY dependent on your card issuer. I've had several instances were my card needed to be reissued, including because of the Home Depot fiasco. A reputable company will credit your account as the investigation is taking place.

Re:This is where Paypal works

[PixetaledPikachu]

Yes... no one's EVER reported fraud after using PayPal.

It has to be safer than just giving every ecommerce site on the internet your "secret" numbers, and just hoping they don't use them for anything but what you wish they will.

I've implemented (low level) PayPal integrations. About the only fraud I can picture is abusing the range that they allow when you go to PayPal to sign in and approve the purchase, and then go back to the cart. There's some wiggle room allowed for the amount for that token, if say you end up choosing faster shipping or something. But they still can't keep using that token to go to Cancun or anything. Like they could with your CC number.

I would prefer something like Privacy where you can create a burner card. Too bad it's not available in Indonesia. We do have similar solution for debit card. I can top up money to the card whenever I'm planning to do transaction, and pull the money back to the main account when I no longer need them. I can also destroy the card and ask for a new one, which will arrive at my doorstep in 3 business day

Re: This is where Paypal works

It's not Visa that credits your card; it's your bank. My bank issues the credit within a few hours (I got hit with $4k in charges for online clothes from stores that do not use verified by Visa or Securecode; in less than an hour I got my credit). PayPal also does not use Securecode which makes them susceptible to fraud.

Re: This is where Paypal works

So what? It's a credit card, so it's not taking money from your bank account and it shouldn't affect anyone unless you charge up so much that you are always on the brink of hitting your credit limit, in which case you should learn how to control your spending.

One of the major reasons to even get a credit card is because it protects your funds in the event of fraudulent charges.

Re:This is where Paypal works

[thegarbz]

However, I trust random websites even less. Paypal successfully shields me

This is a breach of the early promise of online commerce. The promise was that online use of credit cards would be even safer than normal use and that the website never handled your details and no one ever saw your number. The problem here is that we left the implementation of this up to the websites themselves, and surprise surprise it was messed up.

I actually like the system for online payments with debit cards in The Netherlands, iDEAL. It is much the same as Paypal in that payment processing is handed off directly to your bank. The site send the order information to the bank, and the only thing it gets back is a confirmation that it has been processed, much like Paypal only without Paypal which has enough of a shady history that I too only use it when dealing with shady site.

As much as people heap shit on Paypal I actually think it is the way payment processing for online commerce should have been handled from the very beginning.

Re:This is where Paypal works

[HaydonBerrow]

Hear, hear. Some time ago paypal told me I had done 100 transactions and needed to confirm my bank details instead of using my credit card. I replied, but I don't remember how, that there was no way they were going to have my bank details and I would rather open a new paypal account. In the uk credit card payments are protected but I registered a dedicated credit card with a deliberately low limit with paypal.

Re: This is where Paypal works

[parkinglot777]

Who cares? Tell your credit card company about the fraudulent purchase. Theyâ(TM)ll refund it and get you a replacement card in a couple days at the most, assuming your information is stolen. I accidentally bought an airline ticket for the wrong day once. Entirely my fault. American Airlines refused to refund my ticket (despite the fact that it was within the 24 hr grace period - I was unaware of the rule at the time, though).

Called my credit card company up the next day and told them what happened. Ticket was refunded.

You demonstrated a scenario where you abuse the privilege of credit card holder! It was your fault when you entered the wrong date, and you admitted it. There is no excuse for not knowing the rules. Regardless the time after buying the ticket, if they help you change the date, it would be nice of them (and good service). However, they have no obligation to do so and you can't be angry at them because it is still your fault. But what you did? Yes, you charged back the vender (in this case it is American Airline). Have you ever put yourself in the same shoes as a seller where someone bought your products but then attempted to cancel the purchase by charging back? I think not.

Back to the topic, PP can sometimes be a pain on the neck but would be under different scenarios. The fraud could still happen if the person knows your login (different way of verification).

Re:This is where Paypal works

[Aighearach]

No, you're just a young kid so why are you trying to tell us about the past? Some of us were there.

The promise was, "don't worry, it is safe to use credit cards online because you have fraud protection! It is as safe as mail order, don't be afraid!"

People don't heap shit on paypal because of way their technology is designed, the tech is good. People hate them because they're evil assholes and they freeze people's accounts and then steal their money. The part where they protect your transaction from the outside they're good at. So if you're only making payments, they're good at that. It is if you're using them to receive payments that they are awful.

Re:This is where Paypal works

[thegarbz]

No, you're just a young kid so why are you trying to tell us about the past? Some of us were there.

Err no I'm not, and I was there. Hell I even remember back when our credit cards were as arse backwards as the USA ones where stores took imprints rather than having you use a terminal.

The promise was, "don't worry, it is safe to use credit cards online because you have fraud protection! It is as safe as mail order, don't be afraid!"

Funny never got that message where I live. But then in my country we always had fraud protection. The specific instructions we got was that online was safer and less likely to be exposed to fraud.

People don't heap shit on paypal because of way their technology is designed

I never said they did, actually I said the opposite.

Re:This is where Paypal works

[nasch]

That is exactly why we shouldn't use credit numbers at all and no one should no it. you should just insert into a reader, or use NFC

That is tricky to do for online purchases.

Intercepted data?

[93+Escort+Wagon]

if the problem didn’t arise due to the end-user (e.g. password reuse from some other compromised sites), a OnePlus server compromise seems more likely than data being intercepted in transit. Although I guess you could call that “intercepted data” too, in a manner of speaking.

Re:Intercepted data?

I don't see how it would have been caused by password reuse. They say themselves that they don't store credit card numbers, their payment processor does and even then they can't retrieve the details.

pretentious?

[swell]

"OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website"
      or
"OnePlus customers report credit card fraud after buying from the company's website"

Which is easier to read? Which is pretentious? Why does Slashdot need to be pretentious? Year after year they assault us with these stupid 1920 style headlines that are hard to decode.

Re:pretentious?

[wonkey_monkey]

You, I agree on this.

Re:pretentious?

Which is easier to read? Which is pretentious?

It's detestable! They should've never capitalized the F in "from".

Re:pretentious?

[HiThere]

If they hadn't capitalized "Company" I'd be wondering which company's website they bought the phone from. I'll grant you, though, it isn't exactly explicit.

Re:pretentious?

[Lunix+Nutcase]

Both are equally easy to read. What is supoosed to be difficult about reading the former?

Re: pretentious?

Unfortunately it seems to be convention for US-based news reporting. I find myself mentally emphasising every word.

Re:pretentious?

Which is easier to read?

They are about the same. The first one has a mistake in the F. The second is missing punctuation.

Which is pretentious?

The second.

Why does Slashdot need to be pretentious?

I give up. I don't believe it has such a need, but if you feel that Slashdot should be pretentious then feel free to explain.

Year after year they assault us with these stupid 1920 style headlines that are hard to decode.

What are you talking about?

Re:pretentious?

[thegarbz]

Which is pretentious? Why does Slashdot need to be pretentious?

Why is it pretentious for a News site to follow a style guide specifically for News headlines? If you want to avoid style guides then jump on Buzzfeed, but what will happen next will amaze you! That is of course once you find the point of the article buried some 6 paragraphs in.

If I had to chose between pretentious and the cesspit of garbage that is millennial "news" written without style guides, then pass me the pipe young man.

Re:pretentious?

[nasch]

Did you really find it difficult to understand the headline, or were you exaggerating for effect? Just curious.

To the Dearly Departed

Everyone else is doing it so why can't we?

Javascript

If people used sane web browsers (those that don't support arbitrary remote code execution and show the URL to which a form will be submitted), then this wouldn't have happened.

Re:Javascript

Yeah .... because the majority of the CC interceptions happened this way.

You definitely won the award for basic security ignorance.

Had to replace my credit card twice

The first time they sent the new card number to most businesses who had the old number. Unsurprisingly there were more fraudulent charges on the new card within two weeks.

I did buy a OnePlus phone last year, though not within the last two months.

Cash

[Rick+Schumann]

Do you all see why it is I started using cash for everything I possibly can? Because 'data breaches' like this keep happening, and there's no end in sight.
For all in-person purchases possible I use cash.
The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do. If it gets compromised, cut it up and get another one.

Pre-emptive strike on (the usual) comments:
* Don't care if you think 'carrying cash is dangerous'. Never been robbed, don't go anywhere I'd get robbed, don't give a damn what you say about it.
* Don't care what you say about 'the world going cashless' and neither do I beleive it'll happen anyway; don't bother even saying it won't discuss it.
* Don't give a damn about your personal insults (calling me a 'luddite', which is totally inaccurate, calling me an 'old man', or whatever). You're wasting your time won't even read your silly insults just save yourself the time.
* Don't care if you think I'm paranoid. Doesn't affect you, why should you even care, mind your own business. See above: 'Insults'.
* Do you just argue to argue? Nothing better to do? Get another hobby, not interested in being your entertainment.
* Not telling any of you to carry cash, calm the hell down, do whatever you want -- but be aware of YOUR risk factor.
* Trollololol? Go away, you've been spotted.

Re:Cash

[Lunix+Nutcase]

Last time I checked pretty much 0 websites accept cash as payment. And even if they did mailing cash is one of the dumbest things you can do. Enjoy that payment never making it to the other end.

Re:Cash

[Rick+Schumann]

Try reading what I wrote again, EVERY WORD this time, okay?

Re: Cash

Prepaid cards are nice. I used them a lot when playing on private servers. Those game servers are already illegal so don't think they won't steal your card.

But, some banks will let you generate a one time use card number. That should solve this issue, and skip the reload fee.

Re: Cash

[Rick+Schumann]

Useful advice, sans snarkiness and insults, on my Slashdot? Remarkable. I'll see if my CU does things like that. That *would* solve that part of the problem -- so long as that particular system is also secure from 'data breaches'. If they were able to get into a database that allowed them to see past the obfuscation then it wouldn't be much better than just using a normal CC. But it's worth investigating.

Re:Cash

[nasch]

Questions out of curiosity not an attack. Do you write a lot of checks for stuff like utilities? Or do you do direct withdrawal? I could deal with cash + prepaid credit card (though I don't feel the need), but man writing checks sucks. Have you looked into paying by smartphone? I only know about Android but I think iOS works the same way. Only Google knows your credit card information, the merchant never sees it. If I understand right it isn't even stored on the phone. I haven't heard about any breaches of those systems, but then I haven't looked.

Huh?

[a.koepke]

Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site

This doesn't make sense. When you enter your CC details into the form they haven't left your browser, unless there is some Javascript grabbing those details. If that is the case then the site has been compromised.

Thanks - I'm a Victim

Thanks for posting this, I purchased a OnePlus on 12/19, and sure enough 1/11 and 1/12 have fraudulent charges.

Probably not coincidentally, I've had a fraudulent order placed at Walmart.com on 1/10 and had someone attempt to hijack my Spotify account on 1/11, all of which use the same email/password combination as the OnePlus site. I had a feeling that some site must have been compromised and stored there details in plain text...

It's a young company and they make mistakes

[piojo]

But their intentions seem better than most companies. Can you imagine Samsung, LG, or Apple admitting possible fault and noting that they're investigating it? Not a chance, unless the issue was all over the news. The whole generation of LG G4 phones had a motherboard flaw which caused most of them to fry after six months, and LG didn't even affordable repair. You were totally out of luck, unless you bought it with a warranty. (Depending on the country, phones are sometimes sold without a warranty.) Manufacturer defects do not normally require a warranty--this is like when you buy a TV, take it home, and find it doesn't work the next day. But did LG do the right thing? No.

Another good example of fixing its mistake: when their Android O release was ready, the OTA installer accidentally made data hard to access/recover for users with an unlocked bootloader. In the next OTA update, they put a warning message in that explained what users with unlocked bootloaders should do to prevent problems. Another manufacturer would simply have decided those users don't matter because we're in the minority.

Re:It's a young company and they make mistakes

[nasch]

Didn't they also distribute phones with spyware preinstalled though?

Re:It's a young company and they make mistakes

[piojo]

Not that I recall. I think what it was was overzealous logging, or something like data that wasn't sanitized well enough. If you're remembering real malware, you're probably thinking of Lenovo computers.

Re:It's a young company and they make mistakes

[nasch]

I guess it's semantics, but this is what I'm referring to: http://www.androidpolice.com/2...

Sounds like spyware to me.

Re:It's a young company and they make mistakes

[piojo]

It is semantics, but the difference is huge. Spyware doesn't consider privacy--it will collect everything it can, then use it in whatever way is profitable. Debugging diagnostics collect only what's most relevant for fixing errors, and the information isn't distributed. Spyware will also try to "break the rules", like gaining access to data it should not have access to (screenshots and keyloggers, for instance).

I expect some of the computer software I'm running to have analytics. But if I ever discover actual spyware, I'll have to trash the computer or relegate it to a media box. I won't fuck around with compromised software/hardware.

Re:Not surprised

But they have already scammed people 12 times.

Re: Not surprised

Maybe not, but I've definitely not hired people who prefer to develop on Macs. They are universally incompetent, often smug, and always condescending.

HTTPS and security

HTTPS is Not secure. To make it secure you need certificate pinning or you are suspectible to mitm.

Re:HTTPS and security

I've never heard of a single case where HTTPS would have protected someone.
Every time passwords or credit card information have been stolen it has been one of the endpoints that were insecure, never the ISP or other MitM snooping up information.

Sure, we can spend some more resources trying to get everyone to use certificates properly and it might protect someone who typed the url wrong.
But no-one really types the full url anymore, they either google it or use the url that is auto-corrected to the one they visited last time.

If you are going to spend resources making something more secure it is better to focus on the endpoints, that is where we see the problems.

Certificates are nice but they won't prevent any of common attacks.

2 tier security

[houghi]

What I would like is that either 2tier security, where they send me an SMS with a code to congirm, is either the persons choice or obligatory for every purchase.
At this moment it is not. It is up to the merchant. That together with a PIN would make it very hard to use the card, even if you have the number.
I already have 'save CC details' off where I can.

Re:2 tier security

[nasch]

What I would like is that either 2tier security, where they send me an SMS with a code to congirm

2FA is good, but not via SMS; that isn't secure.

https://www.theverge.com/2017/...

flakey as hell

[Cederic]

In a poll of people that recently suffered credit card fraud, 100% of them had within the previous month been breathing air.

In a poll of Slashdot users, 100% of those that suffered credit card fraud had recently been using Slashdot.

Sorry but 'closed community finds out that the thing they share in common with people in that community is the community' is hardly fucking devastating evidence of something.

Re:flakey as hell

[nasch]

Why would OnePlus confirm there is a problem if it was just random coincidence?

Transaction protection

[DrYak]

using cash for everything I possibly can? {...} For all in-person purchases possible I use cash.

Great idea, except that's going to be hard in a world where nearly all transaction with significant amount are done online.

At least where I live, most of the time in-person cash purchase are only used for transaction like buying coffee from the corner shop.
Want to pay rent ? e-banking money transfer.
Want to buy some big piece of equipment ? Credit-card, paypal or money-transfer. VERY few of the online shop send actual bill that you can pay at the post-office counter.
etc.

The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do.

...which is the way most decent credit cards work here around. (Europe).
They either prepaid (but the issuing bank usually takes a nice cut on each recharge).
Or just entirely different banking accounts (it doesn't tap into your normal salary account, if it maxes out, it's just *that* separate account getting maxed out).

Also speaking about decent credit cards : what you even more definitely need is some form of 2-factors authentication / out-of-band transation confirmation.
e.g.: One of my cards provider has an app that I install on my smartphone. Whenever I do any significant transaction (either single big amount, or several small transaction), I need to confirm it with the app.
If the credit cards gets compromised: well, good luck doing anything with it (I'll certainly NOT authorise your transaction, though you might manage to get away with the 2 first coffees you pay contact less).

One plus spam on /.

I guess the recent /. spam posts linking to the oneplus website were bait for this...

CA

[nmo.marques]

They take user privacy in such a regard that CA's blacklisted for issuing certs on behalf of google are trusted in their ROMs.