Spyware on the phones, CC fraud if you buy one, not that cheap any more, poor after-sales support. Why should we buy OnePlus phones again?
A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue. Dozens of fraud reports of unauthorised credit card use were posted through on the company's support …
Monday 15th January 2018 13:34 GMT tiggity
It can be argued that the common practice of iFrame going to a third party site is very, very bad.
As users get use to seeing data going to a site totally unrelated to the domain they are visiting, but (due to iFrame) appear to be on "main" site .. exactly the sort of thing that would happen on a nastily pwned web site.
If interacting with oneplus (and third party payment API calls made server side) at least same domain origin as far as user is concerned.
If oneplus using https then form data should be no more vulnerable than if iframe to third party vendor used
Obviously with domain itself calling payment stuff from server side there is the issue of how much do you trust oneplus (or whatever site you are using) compared to saggypay (or whatever payment service is used).
If you buy things online, at some point you have to trust some site with your CC details..
Monday 15th January 2018 15:27 GMT Anonymous Coward
Agreed - iFrame setups can look a lot like an attack themselves.
HTTPS should mean your details are safe while in transit. Which implies that OnePlus' servers may have been compromised, allowing the form input data to be copied in that small window when it has been received and is about to be sent on via the back end. In other words it's a fairly classic man in the middle attack, but without the hassle of having to put the man there in the first place.
The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons. Like you say, at some point you've got to trust someone.
Monday 15th January 2018 20:40 GMT handleoclast
The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons.
Doesn't matter if you hand off the transaction processing in an iFrame or redirect to the payment processor's URL, you still must secure your own site.
Otherwise, I hack into your site and amend the relevant URL (the iFrame or the redirect) to point to my server. Job done.
Oh, and after you've secured your site (a never-ending job) you really ought to monitor the payment stuff frequently with a full test to make sure the URL hasn't been tampered with, despite you thinking you'd secured your site.
Oh, and then you ought to regularly inspect the code itself, to make sure I haven't hacked in a test to see if the transaction is being initiated from your monitoring address and in that case send out the correct URL.
These are the things most admins avoid thinking about, lest those thoughts give them sleepless nights.
Monday 15th January 2018 21:35 GMT Shadow Systems
t Tiggity, re: CC#'s & trust.
In principle that's true, but you can still employ a step by which to further insulate yourself against CC fraud.
Go to your local big box store (EG: Walmart or Tesco) & purchase a refillable Visa debit card. Give it a balance of a hundred Dollars/Pounds/Euros/whatever. When you want to make a purchase online use the refillable card instead of your real one. That way if the purchase details get comprimised & "your CC details" are among the data that got swiped, all the crims got was a refillable card that won't do them any good after the current available balance is spent.
You can keep topping off the card via your real CC, but since your real CC isn't used to make the online purchases it's never the one at risk of getting screwed over.
If the refillable CC ever gets swiped (physicly) or the data stolen, you can simply go buy another one & carry on as if nothing had happened - your real CC is still safe, your financial details are still safe, & the crims only got the current balance on the card. Sure it hurts if you just topped it off & had a balance of a few hundred, but that is infinitely less painful than if they had nicked the real thing.
So go get yourself a refillable card & top it off. Use it to make your online purchases (& even your in person ones if you're paranoid) to insulate yourself against having your real one stolen. Since we don't trust the points of sale any longer, why should we risk our real cards when making a purchase at one?
Tuesday 16th January 2018 09:18 GMT Adam 52
"The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons."
There is a reason for that. It's because in the vast majority of cases the payment processor *will* have done a better job than Joe random coder. Actually worse than that, Joe random web developer.
It also means that you can hand off most (but not all) of that unpleasant PCI compliance.
Tuesday 16th January 2018 13:49 GMT katrinab
Re: t Tiggity, re: CC#'s & trust.
If you are in the UK / EU, then prepaid credit cards aren't such a good idea.
The biggest threat is not actually your credit card details being stolen in transit, which this guards against, but the vendor not supplying what you paid for. In the case, The Consumer Credit Act covers you if you use a real credit card, but not if you use a prepaid one.
Also, my card gives me 1% cashback. I would need to lose a lot of money and have the bank not refund it for some reason, before I would end up worse off than the cashback I've earned over the years.
Monday 15th January 2018 16:57 GMT jay_bea
Paypal is not great, but at least it provides a bit of insulation between my payment account details and retailer websites, and I am reluctant to purchase from sites that don't offer it, particularly if they are overseas.
It is a pity that Paypal make it difficult to set up secure 2FA unless you want to use SMS or their own Security Key, but it can be done using any TOTP client with a bit of work.
Monday 15th January 2018 21:51 GMT Shadow Systems
At Jay_B, Re: Paypal.
I disagree. If you must do business with Paypal then employ the refillable CC method I mentioned in an earlier thread. That way when (not if) Paypal tries to screw you over, all they can do is steal the current balance in the refillable card instead of render you bankrupt.
Paypal: just say no.
Monday 15th January 2018 23:19 GMT Pascal Monett
Sorry, but no
I do use Paypal now and then - when I don't have the choice to use anything else.
Visa is my preferred payment method, because when something goes wrong I have my bank to talk to. My bank manager knows me, knows my account and has been following me for the past ten years. If I tell him something is wrong, he will look into it.
Paypal ? You can send a message, right. Then you pray that Paypal does not decide that it's your fault and bans you for it. No office to go to, nobody to talk to via phone. Just a webpage, and a prayer that someone is awake and not pissed off on the other side.
Monday 15th January 2018 17:12 GMT Anonymous Coward
Somewhat off topic:
Has anyone else started to receive junk mail from Zopa (money lender) or other firms using your name in the format as held by your bank?
When challenged Zopa said it was normal for them to get people's details from a credit agency ("A-something?) when people opened a bank account. Is this a consequence of the banks etc change to "open banking" January 13? Are they registering their changes of retail customers' accounts with credit agencies - as if opening a new account?
Tuesday 16th January 2018 08:49 GMT Adam 52
"open banking" is supposed to only be with customer consent. But that's a politician's promise.
It is common practice for bank details to be shared with the credit reference agencies. It's also common practice for the credit reference agencies to run data supply businesses. There is not supposed to be any overlap between the two.
Tuesday 16th January 2018 09:48 GMT Anonymous Coward
There is an alternative idea as to how the credit agency listed my name and address. I recently agreed to give a young couple a large-ish gift towards buying their new house.
UK anti-money laundering processes meant my recent bank statements had to be provided to the mortgage broker, conveyancing solicitor, and Santander. Would Santander use my details to submit a credit check on me?
I fretted at the time that any photocopies possibly taken before returning the originals were a security risk to my account. I am now getting paranoid that those details might have been misused - possibly even as "proof of id" for nefarious purposes.
A few days before the Zopa junk mail I also received a travel company junk mail that used that same name/address format. Worrying - that version of my "formal" name has only been used for a limited number of legal identity uses - including recent renewals of my passport and driving licence. Even online credit card/PayPal transactions don't use it - and it is supposed to be excluded from the Electoral Roll sales.
Tuesday 16th January 2018 16:05 GMT Jonathan 27
Tuesday 16th January 2018 04:40 GMT Anonymous Coward
Walmart may have a similar issue
Several times online purchases from Walmart in the U.S.A. have resulted in several hundred to close to a $1000 of unauthorized purchases within days of the original purchase. A lot of the digital crime appears to be internal. I can confirm that a major U.S. pharma store has been hacked in the past 12 months yet this hack has not been reported by the company as required by law, leaving all consumers vulnerable to the hackers who have accessed credit card and other personal data. This is extremely troubling due to pharmacies having extensive consumer medical and personal data.
Tuesday 16th January 2018 12:30 GMT Gavin Hamill
Ah that's interesting - I bought a 5T just before Christmas, and got a call from Nationwide saying they suspected fraud from the same card (it was used to buy £300 of stuff from Argos). I called Nationwide back on the public fraud number and it checked out.
I did wonder how anyone got that card number because I very rarely use it for anything other than chip+PIN, contactless or via PayPal...