TechTheDay

In January 2018 and we have already been seeing a continuation of the chain of cybersecurity breaches that are happening all over the past year. Some of those concerns were the fault of cybercriminals abusing a vulnerability in the system. But many of them are ultimately the fault of the companies involved, who have done badly in their effort to protect their customers’ identities. Now OnePlus joins the fray as it announces that its security has been breached and that as much as 40,000 people are affected.

Credit Card Frauds

The incident came to light after hundreds of people started complaining about their credit cards being flagged by their banks due to suspected fraudulent activity. Many of the people who were affected were recent customers who purchased a phone from OnePlus within a two-month time span starting around November 2017. Fidus, an information security company in the U.K., made a blog post that points out the security flaws in OnePlus’ payment system.

Fidus notes: “We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE.” They went on to explain that because of this, attackers were able to intercept the data from the user to the OnePlus website. They also note that the payment page isn’t PCI-compliant.

Fidus was able to predict how the attackers were able to gain access to the data of the customers before OnePlus was able to report how the attackers were able to steal 40,000 users’ credit card information. “Credit card fraud is not new to the Magento eCommerce platform,” the post said. In an interview with Forbes.com, Andrew Mabbit, founder of Fidus, notes that OnePlus is the one at fault here, citing that OnePlus could have just redirected the users to the “payment processors’ own payment page.” He reasoned that the payment processors page would surely have been PCI compliant.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” a forum post in OnePlus’ forums said. The post continues to admit that sometime last year their system was attacked and that their payment system was injected with a script. This malicious script detects credit card information as the data is being entered via the payment page. The users’ data is transmitted to the hackers from the page as they enter their information. People who used a saved credit card information to pay and those who used PayPal should not be affected, according to OnePlus.

OnePlus is also offering free credit card monitoring services to the customers who reported fraud and has promised to alert the authorities about the matter as well as to improve the state of their system’s security. They, however, never released a list of people that are supposedly affected by the theft.

Negligence

One of the best pitfalls for web developers is being confident with their skills, especially when people are new to the industry. Ignoring gathering all the requirements and required knowledge, they set out and create systems that are usually full of holes. OnePlus’ payment system is such an example. As stated by Fidus, the attackers were able to intercept the data because OnePlus’ servers stand in between the users and the payment processors. And as mentioned, OnePlus could have avoided the matter by just re-directing the users to the payment processors, who has a much more secure system. The incompetence showed by OnePlus could have cost people thousands had the banks not detect fraudulent activity.