Update: OnePlus disables credit card payments on its website in wake of reported security breach
Update: OnePlus has now disabled credit card payments on OnePlus.net. Customers will still be able to shop via PayPal. The company is still investigating and also looking for alternative payment options. If you've done any credit card payments on OnePlus.net, it's advised you keep an eye on your payment history and statements. Original story follows:
Thankfully, most modern credit card systems have a security built-in to stop such stuff from happening. But if you've shopped from OnePlus.net and used your credit card instead of a PayPal checkout, we suggest you keep an eye on your credit card transaction history until this whole debacle is cleared up.
OnePlus is currently looking into the allegations
OnePlus was quick to answer customer concerns but is yet to confirm or deny a leak. In a forum post, which is to be considered the company's official reply as of right now, it's explained that OnePlus does not store credit card data and that customer payment details are handled by a secure 3rd party system. Even if you are to check the “Save my card for future transactions” box, all that OnePlus saves is a token number that represents your card details, which remain securely encrypted in the payment system's database. As per the statement, the investigation is still ongoing. Users that believe their data has been compromised are encouraged to contact security@oneplus.net and report when they last shopped at OnePlus.net and when the fraudulent transactions began to pop up in their credit card statements.Security experts chime in
Security experts over at a company called Fidus Information Security have written their own blog post to chime in on the matter. According to Fidus, the fact that the payment details page is hosted on the OnePlus website is where the problems start. Sure, OnePlus does not store or read your card details, but that information will go through its servers for a brief period of time, before making it to the payment company's database.
Fidus provided a couple of examples of how the payment system could be compromised to leak sensitive data. One way is to have a malicious piece of JavaScript, hosted on the server, which will invoke the user's machine to send a copy of the entered billing information straight to the hacker. The other method is a direct hack of the OnePlus servers, which would signify a very serious weakness in security.
Vulnerability point, image courtesy of Fidus Information Security
We'll see where this story goes from here. You are free to visit the OnePlus forum threads (linked below) to follow reports from other users as they develop while we wait for OnePlus to conclude with its investigations.
Things that are NOT allowed: