back to article Customers reporting credit card fraud after using OnePlus webstore

A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue. Dozens of fraud reports of unauthorised credit card use were posted through on the company's support …

  1. Dan 55 Silver badge

    Spyware on the phones, CC fraud if you buy one, not that cheap any more, poor after-sales support. Why should we buy OnePlus phones again?

    1. Phil W

      If you liked the original OnePlus for it's reasonable spec and feature set and very low pricing, Xiaomi is probably the way to go now.

    2. Timmy B

      "Spyware on the phones, CC fraud if you buy one, not that cheap any more, poor after-sales support."

      This is why I didn't get a 3T or 5. It's a bit sad really as the 3 is an excellent phone.

  2. tiggity Silver badge

    iFrame

    It can be argued that the common practice of iFrame going to a third party site is very, very bad.

    As users get use to seeing data going to a site totally unrelated to the domain they are visiting, but (due to iFrame) appear to be on "main" site .. exactly the sort of thing that would happen on a nastily pwned web site.

    If interacting with oneplus (and third party payment API calls made server side) at least same domain origin as far as user is concerned.

    If oneplus using https then form data should be no more vulnerable than if iframe to third party vendor used

    Obviously with domain itself calling payment stuff from server side there is the issue of how much do you trust oneplus (or whatever site you are using) compared to saggypay (or whatever payment service is used).

    If you buy things online, at some point you have to trust some site with your CC details..

    1. Anonymous Coward
      Anonymous Coward

      Re: iFrame

      Agreed - iFrame setups can look a lot like an attack themselves.

      HTTPS should mean your details are safe while in transit. Which implies that OnePlus' servers may have been compromised, allowing the form input data to be copied in that small window when it has been received and is about to be sent on via the back end. In other words it's a fairly classic man in the middle attack, but without the hassle of having to put the man there in the first place.

      The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons. Like you say, at some point you've got to trust someone.

      1. handleoclast

        Re: iFrame

        The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons.

        Doesn't matter if you hand off the transaction processing in an iFrame or redirect to the payment processor's URL, you still must secure your own site.

        Otherwise, I hack into your site and amend the relevant URL (the iFrame or the redirect) to point to my server. Job done.

        Oh, and after you've secured your site (a never-ending job) you really ought to monitor the payment stuff frequently with a full test to make sure the URL hasn't been tampered with, despite you thinking you'd secured your site.

        Oh, and then you ought to regularly inspect the code itself, to make sure I haven't hacked in a test to see if the transaction is being initiated from your monitoring address and in that case send out the correct URL.

        These are the things most admins avoid thinking about, lest those thoughts give them sleepless nights.

      2. Adam 52 Silver badge

        Re: iFrame

        "The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons."

        There is a reason for that. It's because in the vast majority of cases the payment processor *will* have done a better job than Joe random coder. Actually worse than that, Joe random web developer.

        It also means that you can hand off most (but not all) of that unpleasant PCI compliance.

    2. Shadow Systems

      t Tiggity, re: CC#'s & trust.

      In principle that's true, but you can still employ a step by which to further insulate yourself against CC fraud.

      Go to your local big box store (EG: Walmart or Tesco) & purchase a refillable Visa debit card. Give it a balance of a hundred Dollars/Pounds/Euros/whatever. When you want to make a purchase online use the refillable card instead of your real one. That way if the purchase details get comprimised & "your CC details" are among the data that got swiped, all the crims got was a refillable card that won't do them any good after the current available balance is spent.

      You can keep topping off the card via your real CC, but since your real CC isn't used to make the online purchases it's never the one at risk of getting screwed over.

      If the refillable CC ever gets swiped (physicly) or the data stolen, you can simply go buy another one & carry on as if nothing had happened - your real CC is still safe, your financial details are still safe, & the crims only got the current balance on the card. Sure it hurts if you just topped it off & had a balance of a few hundred, but that is infinitely less painful than if they had nicked the real thing.

      So go get yourself a refillable card & top it off. Use it to make your online purchases (& even your in person ones if you're paranoid) to insulate yourself against having your real one stolen. Since we don't trust the points of sale any longer, why should we risk our real cards when making a purchase at one?

      1. katrinab Silver badge

        Re: t Tiggity, re: CC#'s & trust.

        If you are in the UK / EU, then prepaid credit cards aren't such a good idea.

        The biggest threat is not actually your credit card details being stolen in transit, which this guards against, but the vendor not supplying what you paid for. In the case, The Consumer Credit Act covers you if you use a real credit card, but not if you use a prepaid one.

        Also, my card gives me 1% cashback. I would need to lose a lot of money and have the bank not refund it for some reason, before I would end up worse off than the cashback I've earned over the years.

  3. jay_bea

    Paypal

    Paypal is not great, but at least it provides a bit of insulation between my payment account details and retailer websites, and I am reluctant to purchase from sites that don't offer it, particularly if they are overseas.

    It is a pity that Paypal make it difficult to set up secure 2FA unless you want to use SMS or their own Security Key, but it can be done using any TOTP client with a bit of work.

    https://medium.com/@dubistkomisch/set-up-2fa-two-factor-authentication-for-paypal-with-google-authenticator-or-other-totp-client-60fee63bfa4f

    1. Shadow Systems

      At Jay_B, Re: Paypal.

      I disagree. If you must do business with Paypal then employ the refillable CC method I mentioned in an earlier thread. That way when (not if) Paypal tries to screw you over, all they can do is steal the current balance in the refillable card instead of render you bankrupt.

      Paypal: just say no.

      =-j

    2. Pascal Monett Silver badge

      Sorry, but no

      I do use Paypal now and then - when I don't have the choice to use anything else.

      Visa is my preferred payment method, because when something goes wrong I have my bank to talk to. My bank manager knows me, knows my account and has been following me for the past ten years. If I tell him something is wrong, he will look into it.

      Paypal ? You can send a message, right. Then you pray that Paypal does not decide that it's your fault and bans you for it. No office to go to, nobody to talk to via phone. Just a webpage, and a prayer that someone is awake and not pissed off on the other side.

  4. Anonymous Coward
    Anonymous Coward

    Somewhat off topic:

    Has anyone else started to receive junk mail from Zopa (money lender) or other firms using your name in the format as held by your bank?

    When challenged Zopa said it was normal for them to get people's details from a credit agency ("A-something?) when people opened a bank account. Is this a consequence of the banks etc change to "open banking" January 13? Are they registering their changes of retail customers' accounts with credit agencies - as if opening a new account?

    1. Adam 52 Silver badge

      "open banking" is supposed to only be with customer consent. But that's a politician's promise.

      It is common practice for bank details to be shared with the credit reference agencies. It's also common practice for the credit reference agencies to run data supply businesses. There is not supposed to be any overlap between the two.

      1. Anonymous Coward
        Anonymous Coward

        Addendum:

        There is an alternative idea as to how the credit agency listed my name and address. I recently agreed to give a young couple a large-ish gift towards buying their new house.

        UK anti-money laundering processes meant my recent bank statements had to be provided to the mortgage broker, conveyancing solicitor, and Santander. Would Santander use my details to submit a credit check on me?

        I fretted at the time that any photocopies possibly taken before returning the originals were a security risk to my account. I am now getting paranoid that those details might have been misused - possibly even as "proof of id" for nefarious purposes.

        A few days before the Zopa junk mail I also received a travel company junk mail that used that same name/address format. Worrying - that version of my "formal" name has only been used for a limited number of legal identity uses - including recent renewals of my passport and driving licence. Even online credit card/PayPal transactions don't use it - and it is supposed to be excluded from the Electoral Roll sales.

    2. katrinab Silver badge

      Not Zopa, but I get a huge amount of junk mail from Funding Circle offering loans at what they claim to be a rate of 4.5%, but when I do the sums, is actually an APR of about 13%.

  5. Feldspa

    oneplus update

    https://forums.oneplus.net/threads/an-update-on-credit-card-security.752415/

    This post from oneplus indicates it was not related to PayPal transactions, but to others standard cc based purchases.

    1. Jonathan 27

      Re: oneplus update

      If you buy through PayPal the vendor never gets your card details. So anyone claiming they bought through PayPal has either had their details stolen elsewhere or gave OnePlus their credit card information at some other point in time.

  6. Anonymous Coward
    Anonymous Coward

    Walmart may have a similar issue

    Several times online purchases from Walmart in the U.S.A. have resulted in several hundred to close to a $1000 of unauthorized purchases within days of the original purchase. A lot of the digital crime appears to be internal. I can confirm that a major U.S. pharma store has been hacked in the past 12 months yet this hack has not been reported by the company as required by law, leaving all consumers vulnerable to the hackers who have accessed credit card and other personal data. This is extremely troubling due to pharmacies having extensive consumer medical and personal data.

    1. BebopWeBop
      Facepalm

      Re: Walmart may have a similar issue

      If you know report it - or are the US authorities dragging their feet? - in which case name names please

  7. The Envoy

    Never Settle ... My account

    Looks like I could be in for more than One Plus charge if the crooks have their at down to a T.

  8. Gavin Hamill

    OnePlus

    Ah that's interesting - I bought a 5T just before Christmas, and got a call from Nationwide saying they suspected fraud from the same card (it was used to buy £300 of stuff from Argos). I called Nationwide back on the public fraud number and it checked out.

    I did wonder how anyone got that card number because I very rarely use it for anything other than chip+PIN, contactless or via PayPal...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like