Slashdot Mirror
OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com)
If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.
According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment. Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment. Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
This is exactly why, despite their other practices, I use paypal to buy things.
Sure, the company is shady in their own right, however I still trust PP more than most online retailers. So I pay with PP (or Amazon if that's a choice).
Do you all see why it is I started using cash for everything I possibly can? Because 'data breaches' like this keep happening, and there's no end in sight.
For all in-person purchases possible I use cash.
The next step in my overall strategy will be to find a prepaid debit card (i.e. not linked to any of my accounts) that I can recharge when I need to make online purchases. Put just enough money in it to do what I need to do. If it gets compromised, cut it up and get another one.
Pre-emptive strike on (the usual) comments:
* Don't care if you think 'carrying cash is dangerous'. Never been robbed, don't go anywhere I'd get robbed, don't give a damn what you say about it.
* Don't care what you say about 'the world going cashless' and neither do I beleive it'll happen anyway; don't bother even saying it won't discuss it.
* Don't give a damn about your personal insults (calling me a 'luddite', which is totally inaccurate, calling me an 'old man', or whatever). You're wasting your time won't even read your silly insults just save yourself the time.
* Don't care if you think I'm paranoid. Doesn't affect you, why should you even care, mind your own business. See above: 'Insults'.
* Do you just argue to argue? Nothing better to do? Get another hobby, not interested in being your entertainment.
* Not telling any of you to carry cash, calm the hell down, do whatever you want -- but be aware of YOUR risk factor.
* Trollololol? Go away, you've been spotted.