Credit Card Fraud


Have you had fraudulent charges after a recent OnePlus transaction?

  1. Yes, purchased 0-2 months ago

    341 vote(s)
  2. Yes, purchased 2-4 months ago

    24 vote(s)
  3. Yes, purchased over 4 months ago

    13 vote(s)
  4. No, purchased 0-2 months ago

    81 vote(s)
  5. No, purchased 2-4 months ago

    14 vote(s)
  6. No, purchased over 4 months ago

    96 vote(s)
  7. I Purchased with Paypal

    177 vote(s)
  1. izzykasha
    Lollipop Jan 15, 2018

  2. Wahoux
    Lollipop Jan 15, 2018

    meatandy likes this.
  3. izzykasha
    Lollipop Jan 15, 2018

    izzykasha , Jan 15, 2018 :
    Worryingly they write

    “We stepped through the payment process on the OnePlus website to have a look what was going on. Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted“

  4. G_E_hanan
    Cupcake Jan 15, 2018

    G_E_hanan , Jan 15, 2018 :
    Hey I had the same issue, €300 taken yesterday evening. I searched fraud on Reddit and was so shocked to see a link to this forum as the top post, as I didn't even consider OnePlus as the source. Really really disappointed in OnePlus.

  5. SoniaB
    Community Hero 2020 Jan 15, 2018

    SoniaB , Jan 15, 2018 :
    The Community Manager is OnePlus employee (David Y.) and yes he posted in the thread when it first opened.
    Moderators are in direct contact with him. This was flagged and he is chasing within OnePlus so an update can be provided.

    As for other posts regarding charge back schemes. Pretty much all credit card companies offer this. Its one of the advantages of paying by credit card. So protection is there and anyone affected needs to contact their card provider and arrange this.
    What needs to be determined however, is how this happened to begin with. That investigation may take some time yet

    Hydra Bob, Paul_W_ and Wahoux like this.
  6. SoniaB
    Community Hero 2020 Jan 15, 2018

    SoniaB , Jan 15, 2018 :
    We have been discussing this in moderation team also and @rarog had some interesting info on this.
    Tagging him as he can explain it better than I ever can

    Hydra Bob, Wahoux and rarog like this.
  7. izzykasha
    Lollipop Jan 15, 2018

    izzykasha , Jan 15, 2018 :
    cheers for the updates, nice to see some action

    keep up the good work

  8. F_Ian_Critten_GqIz
    Donut Jan 15, 2018

    F_Ian_Critten_GqIz , Jan 15, 2018 :
    can't believe they've been so stupid or sloppy with customer data.

    I certainly won't order direct with them again, bought 2 op3's 18 months ago, the 2nd one from O2 but one direct.

    this is a massive problem for them, are they still taking payment ls this way today?

    I'm now using PayPal more and more now.

  9. rarog
    Assistant Head Moderator Assistant Head Moderator Jan 15, 2018

    rarog , Jan 15, 2018 :
    Hey, I checked the checkout process this morning until the step of credit card data entry and don't see any problems there.
    The analysts of the site fidusinfosec don't seem to be in 2018 it seems, as nobody needs an Iframe to integrate a secure payment service since many years.
    I just opened the developer tools in Firefox and monitored the traffic. When you enter the credit card data, there are AJAX requests (JavaScript calls) via HTTPS to cdn3.forter.com, the data is also not sent as clear text, but as some encrypted JSON object. Forter seems to be a security checking and probably also credit card processing service (https://en.wikipedia.org/wiki/Forter), so there is no need for OnePlus to process or store the data on their servers, which they also probably don't do. I of course didn't complete the checkout, as I used only test credit card data, but it's not probably that after using Forter to check the data they store it themselves, as such payment services provide security and insurance on a professional level and reduce the expenses and complexity for online shops.

    The far more probable scenario is that all those people who got fraud bookings on their credit card have some malware on their computers, which could of course intercept entered data. With all the trojans targeting online banking the knowledge how to do it is there, the malware authors just have to target specific sites for specific entries for their activities.

    Hydra Bob, meatandy and Wahoux like this.
  10. kumaryashwin
    Jelly Bean Jan 15, 2018

  11. Njut
    Donut Jan 15, 2018

    Njut , Jan 15, 2018 :
    It seems that I'm one of the unfortunate people to get fraudulent charges on my account. I ordered my OnePlus 5T on November 24th and made another order on January 3rd. On January 11th, I received two SMS from my bank to secure purchases that I did not made. I immediately contacted my bank to cancel my card and order a new one, but the next day, my account contained 2 fraudulent payments (568 €) for purchases on a foreign site. I live in France, so I have to go to the police station to file a complaint before hoping to be reimbursed by my bank...

  12. izzykasha
    Lollipop Jan 15, 2018

    izzykasha , Jan 15, 2018 :
    Thanks for the response but I am guessing you are not an expert here, you state words like probably a lot so its not clear cut so I guess we need to wait for an official investigation from Oneplus and their official response?

    However I do appreciate your time doing some tests but I dont think this should allay any fears, until correctly diagnosed people should be wary that it could be something other than trojans on each of the individual peoples machines/devices as it seems to be wide spread. Only by reading this thread are people actually realising it was their oneplus purchase with more coming forward each day so again could this be made sticky permanently up top?

    It will be worth the forum members affected running virus scans on their devices, I dont know about others but I havent used a computer for personal use for a few years now its tablets/iPads/phones so would be good to hear how virus scans go on the devices people used to do the purchase on - please report back here if you can.

    Any infosec experts out there available to give a professional opinion? Remember if you do please state name and profession and company you work for to give it credence


  13. Adam_nerell
    Cupcake Jan 15, 2018

    Adam_nerell , Jan 15, 2018 :
    I can confirm that this has happened to me as well. The credit card in question is almost only used for OP purchases, can't be a coincidence.
    Everyone that has used the webbshop should revoke their cards immediately!

    And to everyone that says that you should wait, easy for you to say, but seriously, butt out...
    I think it's safe to assume that OP has had a major breach.

    Paul_W_ likes this.
  14. izzykasha
    Lollipop Jan 15, 2018

    izzykasha , Jan 15, 2018 :
    Can I ask what device you used to purchase your oneplus products on?

    Are you able to run a virus scan and report if it found any on that specific advice?

  15. Calin Perebiceanu
    Cupcake Jan 15, 2018

    Calin Perebiceanu , Jan 15, 2018 :
    It also happened to me,
    I purchased the 5T on the 5th December 2017 and got some charge tries with that card on 11 January 2018.
    Fortunately , the charges failed due to not enough funds.
    Also, I've used the card on other sites(that I also used each month for the last 3 years)

  16. Adam_nerell
    Cupcake Jan 15, 2018

    Adam_nerell , Jan 15, 2018 :
    A Chromebook, so a virus is pretty much out of the question. Also, seems like the breach is confirmed as a poor implementation of the e-commerce system used.
    Again, everyone that used the webbshop should cancel their cards immediately...

    Paul_W_ and izzykasha like this.
  17. izzykasha
    Lollipop Jan 15, 2018

    izzykasha , Jan 15, 2018 :
    Can I ask what device you used to purchase your product on oneplus?

    Are you able to run a virus scan on that device and post the results here?

    Wahoux likes this.
  18. opolis000
    Eclair Jan 15, 2018

    opolis000 , Jan 15, 2018 :
    Well i guess having 0 $ funds it's at least something...
    I just ordered an OnePlus 5T. Guess i'm *Beep*. (Yes using my card not paypal)

  19. TugaPower
    Jelly Bean Jan 15, 2018

    TugaPower , Jan 15, 2018 :
    You are kidding right? Virus? Did you see the amount of people having the same issue? What they have in common is purchases over OnePlus site recently, the time window is small to see that. Different country's, different persons, common: Credit card used on OnePlus site.
    Also this thread should not be in a sub forum called off topic. Just saying. This is a big concern and let's hope some Admin steps over with some explanation s.

    SoniaB, meatandy, inflamez and 2 others like this.
  20. rarog
    Assistant Head Moderator Assistant Head Moderator Jan 15, 2018

    rarog , Jan 15, 2018 :
    No, I'm not a security specialist per se, but I'm a IT developer. But I have some insight on theory of hacking and had to integrate payment services and multiple online shops in the past. While I used words like "probably", I still understand what I'm writing about.

    Let me explain a little bit further - Iframes are used to integrate/embed other sites into the outer/main site. With modern security policies like SOP (https://en.wikipedia.org/wiki/Same-origin_policy) one can ensure, that even if malicious JavaScript is integrated into a website, it wouldn't be able to intercept data entered into the form within the Iframe. This isn't explained in detail by fidusinfosec. So theoretically if malicious JavaScript would be included into the shop site, then without an Iframe the data could be intercepted. BUT they also write
    and this means, this is not the case in their opinion. Also to include malicious JavaScript, the attacker would need server access to the website before it is delivered to the browser.

    The 2nd possibility described on their site is following:
    The red part of the statement is 100% wrong. This file/class is used just for storing the data. It's not used for handing off data to any provider. It's just a payment method where you enter the data and it's saved encrypted in the database. The online shop owner could then see the data decrypted and manually enters the data to somewhere else to process it. While it's part of Magento, this is never used, if any payment provider is used. I've never met an online shop in the wild that would actually use this. And it's not more or less secure than telling credit card data via phone, people do it all the time especially in the US, but I don't trust this and with proper payment providers there is no need for this, as they handle all the data security, processing, insurance and so on.

    If of course the computer is infected either by malicious plugin or addon or the whole operation system, then of course no Iframe, no SSL and nothing else can protect the data, as the data is intercepted, before it's entered into any website. And scammers use this attack vector judging by my daily cleaning of my email spam folder. I get many mails claiming to be from whatever bank, getting alleged invoices and so on.

    Also AFAIR the cart part isn't based on Magento anymore for a long time anymore. OnePlus started with a heavily modified version of Magento in 2014, but over the course of years I've seen the Magento parts disappear more and more from the website.

    Tl;DR I'm not a professional security expert, but I have my knowledge. My speculations don't replace a proper investigation, but I analysed, why the analysis of fidusinfosec is incorrect, also just a speculation and half clickbait.
    Last edited: Jan 15, 2018