Chinese Android Phone company OnePlus is at the centre of a storm of complaints after many customers said that their credit cards had been used for fraudulent transactions after they purchased products from the OnePlus web store.
After receiving multiple customer complaints on the OnePlus support forum, and on social media platform Reddit over the weekend linking purchases on its website oneplus.net to fraudulent activity customer accounts, OnePlus has issued a statement saying that it has launched an investigation into the claims.
Customers affected appear to be those who have purchased a phone directly through the company website with their credit card rather than using a third-party such as PayPal.
A poll on the OnePlus support forum indicates that as many as 200 people in different countries have seen fraudulent charges, ranging from $50 to $3,000, appear on the credit cards that they used on the OnePlus site.
Theories and Denial
Theories as to what may have happened include the fact that the company’s Oneplus.net e-website was initially built on the Magento eCommerce platform which was known to be vulnerable to cross-site scripting and remote code execution attack. OnePlus has said, however, that although it had used the platform originally, since 2014 it had been re-building the entire website with custom code, and credit that card payments were never implemented in Magento's payment module.
Another theory, fuelled by a security audit by Fidus, focuses on the idea that OnePlus may have been conducting card transactions itself, rather than through an iFrame, thereby making credit card details (including security code) vulnerable to interception as they passed through the OnePlus site. OnePlus has denied this, saying that it hasn’t been processing cards itself, it doesn’t save any payment information surrendered when people purchased its phones, and that it merely passes all data to a partner who handles the payment process.
Problems In The Past
Some of the accusations are fuelled by the fact that, last year, OnePlus admitted that some of its phones had been sending data to Alibaba without the user's knowledge or consent, thereby breaching data protection law in Europe. Also, the company admitted that an insecure, secret back-door diagnostic tool had been left on some phones.
What Does This Mean For Your Business?
Customer trust is paramount in business, and businesses have a responsibility to make sure that all customer data and privacy is protected. The introduction of GDPR this year should help to push this message even further towards to top of the business agenda. This story reminds us that, in a time where we are more confident than ever to buy online, basic security vulnerabilities still exist in some cases where credit card numbers are submitted through forms.
Sadly, as in so many cases, breaches and security vulnerabilities are not revealed first by the company themselves, but by affected customers and researchers / other third-parties. In the case of OnePlus, as in so many others, customers have accused the company of being slow to respond to the problem.
Companies need to test and audit their payment systems to make sure that they offer maximum security as well as convenience to customers.
This story should also be a reminder of how important it is to have a workable, well-communicated, and current Disaster Recovery Plan and Business Continuity Plan in place.
In the case of OnePlus, more information is yet to be revealed about exactly what happened and why. The company itself has advised customers who think they may have been affected to check their card statements, and contact their banks to resolve any suspicious charges and help to initiate a chargeback and prevent any financial loss.