Several OnePlus users on the forums page are now reporting their credit card misuse after their purchase on the OnePlus website recently. A user on OnePlus forums has posted that he recently used credit cards to purchase OnePlus smartphones, and now, he's informed from his bank about several transactions requested on his credit card which has worried him. Right after this person, several other people joined the post and reported the same misuse of credit card.
The first person also reported that he did not use both the credit cards in the last six months, expect the OnePlus website to purchase the smartphones. We have reached out to OnePlus about the same issue and is yet to receive any response from them. We will update this post once the company gives us an update on the issue.
Meanwhile, we have the issue investigated by information security firm Fidus. The firm says that OnePlus is currently using the Magento e-commerce platform which is a common platform for credit card hacking.
Furthermore, Fidus says "the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted."
Straight away, Fidus highlighted two issues that stand out in the current OnePlus payment system. Firstly, "OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website," regarding the third-party provider usage. Secondly, OnePlus did not mention that they do not handle card payments that are made on its website.
While OnePlus is known for some great smartphones, they have been plagued with such issues in the past too. Also, the intensity of this issue is unknown at the moment. The Fidus investigation has nearly confirmed the issue is at OnePlus' end itself, and it will be interesting to see how OnePlus responds to this.
Update: OnePlus has now given some clarity on this issue which you can read it over here.
