back to article Customers reporting credit card fraud after using OnePlus webstore

A large number of OnePlus customers claim to have been hit by fraudulent credit card transactions after making purchases on the phone company's site. And they're unhappy that the company has been slow to address the issue. Dozens of fraud reports of unauthorised credit card use were posted through on the company's support …

Silver badge

Spyware on the phones, CC fraud if you buy one, not that cheap any more, poor after-sales support. Why should we buy OnePlus phones again?

19
0
Silver badge

If you liked the original OnePlus for it's reasonable spec and feature set and very low pricing, Xiaomi is probably the way to go now.

4
0
Silver badge

"Spyware on the phones, CC fraud if you buy one, not that cheap any more, poor after-sales support."

This is why I didn't get a 3T or 5. It's a bit sad really as the 3 is an excellent phone.

1
0
Silver badge

iFrame

It can be argued that the common practice of iFrame going to a third party site is very, very bad.

As users get use to seeing data going to a site totally unrelated to the domain they are visiting, but (due to iFrame) appear to be on "main" site .. exactly the sort of thing that would happen on a nastily pwned web site.

If interacting with oneplus (and third party payment API calls made server side) at least same domain origin as far as user is concerned.

If oneplus using https then form data should be no more vulnerable than if iframe to third party vendor used

Obviously with domain itself calling payment stuff from server side there is the issue of how much do you trust oneplus (or whatever site you are using) compared to saggypay (or whatever payment service is used).

If you buy things online, at some point you have to trust some site with your CC details..

5
4
Anonymous Coward

Re: iFrame

Agreed - iFrame setups can look a lot like an attack themselves.

HTTPS should mean your details are safe while in transit. Which implies that OnePlus' servers may have been compromised, allowing the form input data to be copied in that small window when it has been received and is about to be sent on via the back end. In other words it's a fairly classic man in the middle attack, but without the hassle of having to put the man there in the first place.

The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons. Like you say, at some point you've got to trust someone.

5
0
Silver badge

Re: iFrame

The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons.

Doesn't matter if you hand off the transaction processing in an iFrame or redirect to the payment processor's URL, you still must secure your own site.

Otherwise, I hack into your site and amend the relevant URL (the iFrame or the redirect) to point to my server. Job done.

Oh, and after you've secured your site (a never-ending job) you really ought to monitor the payment stuff frequently with a full test to make sure the URL hasn't been tampered with, despite you thinking you'd secured your site.

Oh, and then you ought to regularly inspect the code itself, to make sure I haven't hacked in a test to see if the transaction is being initiated from your monitoring address and in that case send out the correct URL.

These are the things most admins avoid thinking about, lest those thoughts give them sleepless nights.

2
0
Silver badge

t Tiggity, re: CC#'s & trust.

In principle that's true, but you can still employ a step by which to further insulate yourself against CC fraud.

Go to your local big box store (EG: Walmart or Tesco) & purchase a refillable Visa debit card. Give it a balance of a hundred Dollars/Pounds/Euros/whatever. When you want to make a purchase online use the refillable card instead of your real one. That way if the purchase details get comprimised & "your CC details" are among the data that got swiped, all the crims got was a refillable card that won't do them any good after the current available balance is spent.

You can keep topping off the card via your real CC, but since your real CC isn't used to make the online purchases it's never the one at risk of getting screwed over.

If the refillable CC ever gets swiped (physicly) or the data stolen, you can simply go buy another one & carry on as if nothing had happened - your real CC is still safe, your financial details are still safe, & the crims only got the current balance on the card. Sure it hurts if you just topped it off & had a balance of a few hundred, but that is infinitely less painful than if they had nicked the real thing.

So go get yourself a refillable card & top it off. Use it to make your online purchases (& even your in person ones if you're paranoid) to insulate yourself against having your real one stolen. Since we don't trust the points of sale any longer, why should we risk our real cards when making a purchase at one?

4
0
Silver badge

Re: iFrame

"The implicit suggestion that the iFrame method is superior stems from the idea that whoever hosts the iFrame (be it a bank or a payment processing intermediary) will have done a better job of securing their systems, rather than purely technical reasons."

There is a reason for that. It's because in the vast majority of cases the payment processor *will* have done a better job than Joe random coder. Actually worse than that, Joe random web developer.

It also means that you can hand off most (but not all) of that unpleasant PCI compliance.

2
0
Silver badge

Re: t Tiggity, re: CC#'s & trust.

If you are in the UK / EU, then prepaid credit cards aren't such a good idea.

The biggest threat is not actually your credit card details being stolen in transit, which this guards against, but the vendor not supplying what you paid for. In the case, The Consumer Credit Act covers you if you use a real credit card, but not if you use a prepaid one.

Also, my card gives me 1% cashback. I would need to lose a lot of money and have the bank not refund it for some reason, before I would end up worse off than the cashback I've earned over the years.

1
0

Paypal

Paypal is not great, but at least it provides a bit of insulation between my payment account details and retailer websites, and I am reluctant to purchase from sites that don't offer it, particularly if they are overseas.

It is a pity that Paypal make it difficult to set up secure 2FA unless you want to use SMS or their own Security Key, but it can be done using any TOTP client with a bit of work.

https://medium.com/@dubistkomisch/set-up-2fa-two-factor-authentication-for-paypal-with-google-authenticator-or-other-totp-client-60fee63bfa4f

4
2
Silver badge

At Jay_B, Re: Paypal.

I disagree. If you must do business with Paypal then employ the refillable CC method I mentioned in an earlier thread. That way when (not if) Paypal tries to screw you over, all they can do is steal the current balance in the refillable card instead of render you bankrupt.

Paypal: just say no.

=-j

2
2
Silver badge

Sorry, but no

I do use Paypal now and then - when I don't have the choice to use anything else.

Visa is my preferred payment method, because when something goes wrong I have my bank to talk to. My bank manager knows me, knows my account and has been following me for the past ten years. If I tell him something is wrong, he will look into it.

Paypal ? You can send a message, right. Then you pray that Paypal does not decide that it's your fault and bans you for it. No office to go to, nobody to talk to via phone. Just a webpage, and a prayer that someone is awake and not pissed off on the other side.

1
0
Anonymous Coward

Somewhat off topic:

Has anyone else started to receive junk mail from Zopa (money lender) or other firms using your name in the format as held by your bank?

When challenged Zopa said it was normal for them to get people's details from a credit agency ("A-something?) when people opened a bank account. Is this a consequence of the banks etc change to "open banking" January 13? Are they registering their changes of retail customers' accounts with credit agencies - as if opening a new account?

0
0
Silver badge

"open banking" is supposed to only be with customer consent. But that's a politician's promise.

It is common practice for bank details to be shared with the credit reference agencies. It's also common practice for the credit reference agencies to run data supply businesses. There is not supposed to be any overlap between the two.

7
0
Anonymous Coward

Addendum:

There is an alternative idea as to how the credit agency listed my name and address. I recently agreed to give a young couple a large-ish gift towards buying their new house.

UK anti-money laundering processes meant my recent bank statements had to be provided to the mortgage broker, conveyancing solicitor, and Santander. Would Santander use my details to submit a credit check on me?

I fretted at the time that any photocopies possibly taken before returning the originals were a security risk to my account. I am now getting paranoid that those details might have been misused - possibly even as "proof of id" for nefarious purposes.

A few days before the Zopa junk mail I also received a travel company junk mail that used that same name/address format. Worrying - that version of my "formal" name has only been used for a limited number of legal identity uses - including recent renewals of my passport and driving licence. Even online credit card/PayPal transactions don't use it - and it is supposed to be excluded from the Electoral Roll sales.

3
1
Silver badge

Not Zopa, but I get a huge amount of junk mail from Funding Circle offering loans at what they claim to be a rate of 4.5%, but when I do the sums, is actually an APR of about 13%.

0
0

oneplus update

https://forums.oneplus.net/threads/an-update-on-credit-card-security.752415/

This post from oneplus indicates it was not related to PayPal transactions, but to others standard cc based purchases.

0
0

Re: oneplus update

If you buy through PayPal the vendor never gets your card details. So anyone claiming they bought through PayPal has either had their details stolen elsewhere or gave OnePlus their credit card information at some other point in time.

0
0
Anonymous Coward

Walmart may have a similar issue

Several times online purchases from Walmart in the U.S.A. have resulted in several hundred to close to a $1000 of unauthorized purchases within days of the original purchase. A lot of the digital crime appears to be internal. I can confirm that a major U.S. pharma store has been hacked in the past 12 months yet this hack has not been reported by the company as required by law, leaving all consumers vulnerable to the hackers who have accessed credit card and other personal data. This is extremely troubling due to pharmacies having extensive consumer medical and personal data.

1
0
Silver badge
Facepalm

Re: Walmart may have a similar issue

If you know report it - or are the US authorities dragging their feet? - in which case name names please

0
0

Never Settle ... My account

Looks like I could be in for more than One Plus charge if the crooks have their at down to a T.

0
0

OnePlus

Ah that's interesting - I bought a 5T just before Christmas, and got a call from Nationwide saying they suspected fraud from the same card (it was used to buy £300 of stuff from Argos). I called Nationwide back on the public fraud number and it checked out.

I did wonder how anyone got that card number because I very rarely use it for anything other than chip+PIN, contactless or via PayPal...

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018