OnePlus is investigating numerous reports of credit card fraud from its customers, the Chinese phone maker said Monday. Nearly a hundred people who used the company’s online store in the last four months said they had issues with fraudulent charges after their purchase, with 89 of them saying they provided the firm with their credit card numbers and CCVs within the last two months, according to a thread including a survey on the matter hosted on OnePlus’s official forums. The BBK Electronics-owned company didn’t confirm it was compromised but only said it’s conducting individual probes into every report, noting that no similar issues were reported by customers who paid for OnePlus-made devices or accessories using a third-party service such as PayPal.
Cybersecurity firm Fidus Information Security recently outlined a number of problems with OnePlus’s online store and the manner in which it was set up. First, despite claiming credit card processing isn’t conducted by its website, OnePlus is handling the payment information entry phase on-site and only sends it to a secure service provider after the customer submitted it, allowing for a brief period for the data to be intercepted by an attacker in its plain form, before the company’s third-party payment platform of choice is able to intercept it. Secondly, the phone maker’s website doesn’t mention PCI, an information security standard required by major credit card companies on a global level, Fidus wrote. OnePlus didn’t directly refute that claim, having only said its online payments partner is PCI-DSS-compliant but without reflecting on its own website which relays sensitive information even though it doesn’t store it. The cybersecurity firm also said the Chinese OEM is relying on the Magento e-commerce platform prone to being hacked but OnePlus today claimed it’s been in the process of transitioning away from that system since 2014 and never used it for handling credit card payments in the first place.
The Shenzhen-based manufacturer promised to keep its customers updated on the matter and advised them to contact their banks should they suspect fraudulent credit card activity. A company spokesperson also said OnePlus considers digital security to be among its “top priorities,” emphasizing the fact that no credit card info is ever stored on its website. The extent of the possible hack is still unclear and OnePlus didn’t clarify when its customers can expect more news on the matter. The timeframes of fraudulent charges cited by OnePlus customers who reported them suggests the majority of the victims purchased the company’s latest Android flagship – the OnePlus 5T.