The first post in the OnePlus forum thread regarding the fraudulent credit card charge was posted last week. Soon after this, multiple buyers posted cases of attempts of fraud transaction on their cards as well.
In its blog, posted Monday evening, OnePlus said it began the investigations “as a matter of urgency,” and at least acknowledge the affected users “made credit card payments directly on oneplus.net (without involving a third party such as PayPal).”
OnePlus has put the financial burden of the whole issue squarely on its buyers and their banks. In its post, the company says, “If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss.” This clearly means the Chinese company will not bear any financial losses despite the apparent gaps in its own security system.
As for the investigation, OnePlus has merely said it is still “working with our third-party providers, and will update you on our findings as they surface.”
Cyber security consulting firm Fidus Information Security in a blog post that two issues “stand out” in the matter: one is the website seemingly not being PCI compliant, and the other that OnePlus has incorrectly stated that it does not handle card payments. The company also used Magento e-commerce platform, which Fidus says is "a common platform in which credit card hacking takes place."
But, the company has shirked these concerns off, saying the credit card data is sent to its PCI-DSS-compliant payment processing partner over an encrypted connection, and the payment processing is executed on the partner’s secure servers. However, it has not addressed the fact its website is not PCI-compliant.
While it acknowledges the official website was built on the Magento platform, it says it has been rebuilding the website with a custom code. In fact, it says the credit card payments were not implemented on Magento’s payment module. However, it only says “we shouldn’t be affected”, instead of giving a more reassuring statement on the security front.