261
[Jan 19 Update] An Update on Credit Card Security

  1. Mingyu Platform Product Staff Member Jan 15, 2018

    Mingyu, Jan 15, 2018 :
    [Jan 19 Update #2]

    Update: Thank you for your comments, we're reading each and every one and we appreciate your feedback. We do want to clarify, only potentially affected users will receive the email.



    [Jan 19 Update]

    Hi all,

    We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.

    1. What happened

    One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
    • The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
    • We have quarantined the infected server and reinforced all relevant system structures.

    2. Who's affected
    • Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
      • Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
      • Users who paid via a saved credit card should NOT be affected.
      • Users who paid via the "Credit Card via PayPal" method should NOT be affected.
      • Users who paid via PayPal should NOT be affected.
    • We have contacted potentially affected users via email.

    3. What you can do
    • We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss.
    • For enquiries, please get in touch with our support team at https://oneplus.net/support.
    • If you notice any potential system vulnerabilities, please report them to security@oneplus.net. This is a monitored inbox, but please note, we may not be able to respond to all reports.

    4. What we are doing


    We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.

    We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.

    A big thank you to our forum user @superdutynick for bringing this incident to our attention!

    Sincerely,
    The OnePlus Team




    [Jan 18 Update]

    We're nearing the end of our investigation and will share a detailed update tomorrow.

    [Jan 16 Update]

    This is a serious issue and we are investigating around the clock.

    As a precaution, we are temporarily disabling credit card payments at oneplus.net. PayPal is still available, and we are exploring alternative secure payment options with our service providers.

    Thank you all for the kind words and support.




    Hi there,

    At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised.
    • Who might be affected?
    The reports have come from some customers who made credit card payments directly on oneplus.net (without involving a third party such as PayPal). We are investigating each report.​
    • Is my credit card info stored on oneplus.net?
    No. Your card info is never processed or saved on our website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.​
    • What about the "save this card for future transactions" feature?
    If you checked the "save this card for future transactions" while making a payment, all this means is that our payment processing partner encrypted and securely stored your card info and sent us a few digits (for identification purposes; see image below), plus a "token" - a string of symbols that represents your card. This token is stored in our system, but it's impossible for us to decrypt it and access your card info. Next time you make a payment at oneplus.net, this token will be recognized by our payment processing partner, who then fetches your original card info from their secure vault and uses it for payment processing.

    Credit-card.jpg
    • Is oneplus.net affected by the Magento bug?
    Source: https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.html

    Oneplus.net was initially built on the Magento eCommerce platform. However, since 2014 we have been re-building the entire website with custom code, and credit card payments were never implemented in Magento's payment module at all. So no, we shouldn't be affected.​
    • What about the forum cases?

    Payment fraud is a perennial concern with all online payments. If you notice suspicious charges in your card statement, contact your bank immediately so they can reverse the payment. Our website is HTTPS encrypted, so it's very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit.​
    • What can I do?
    If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss.​
    • What next?
    This is an ongoing investigation. We are working with our third-party providers, and will update you on our findings as they surface. Information security is a very serious topic, and it has always been one of our top priorities. If you have any suggestions or comments, please send them to security@oneplus.net.​

    We would like to thank the community for bringing the issue to our notice.
     
    Last edited: Jan 19, 2018

    #1
    venk_nar, PSSF23, GraceLand and 258 others like this.
  2. MNavy_ Jelly Bean Jan 15, 2018


    #2
  3. camohan Lollipop Moderator Jan 15, 2018

    camohan, Jan 15, 2018 :
    Glad to see a quick response on this. Will be eager to see the results of the investigation. Cheers...!!
     

    #3
  4. jkb114 KitKat Jan 15, 2018


    #4
  5. Cheetosdust Jelly Bean Jan 15, 2018

    Cheetosdust, Jan 15, 2018 :
    Not an easy message to post, but thanks for the update.

    I really hope this thread reaches the biggest number of users possible. Can OnePlus please make sure it’s well visible here in the forums?

    Also, maybe it’s a good idea to reach out to the users who purchased the product and are in that group of customers that can be affected.
     

    #5
  6. izzykasha Jelly Bean Jan 15, 2018

    izzykasha, Jan 15, 2018 :
    Good update but for information this was first reported on the 11th Jan in the original forum post so welcome this all is I feel some days have been wasted.

    Crack on oneplus find the cause and maybe limit payments online to just paypal for the time being as they are safe?
     

    #6
  7. idkwhoiam322 KitKat Jan 15, 2018

    idkwhoiam322, Jan 15, 2018 :
    Glad to see OnePlus keeping everyone on the community updated as always! Like @Cheetosdust said it'd be great if as many as the affected users were reached out to and reassured.
    I hope you guys can sort this out as soon as possible!
     

    #7
  8. An.I.Am Jelly Bean Moderator Jan 15, 2018


    #8
    Cheetosdust, otto2, meatandy and 2 others like this.
  9. G_jonny_cool_nxOr Ice Cream Sandwich Jan 15, 2018

  10. rarog Lollipop Senior Moderator Jan 15, 2018

    rarog, Jan 15, 2018 :
    Have you seen this stickied post? It was posted 6h and 27min after the thread was posted. Not having immediate public announcement doesn't mean, nothing happened in the background.
     

    #10
    ChrisFR06, Sun90, rusty264 and 9 others like this.
  11. obakesan Ice Cream Sandwich Jan 15, 2018

    obakesan, Jan 15, 2018 :


    For transparency, since don't think this is mentioned on the website, what processing partner are you using?

    Thanks for the update.
     

    #11
  12. izzykasha Jelly Bean Jan 15, 2018

    izzykasha, Jan 15, 2018 :
    i believe the constant kicking and promoting this and people contacting moderators actually got this going today and the external press helped too

    so no I believe this was a great effort by the forum posters here on their thread pushing this up to a critical priority which resulted in a much needed post by oneplus and contact to the affected people.

    you can believe it to be another way you have that right.

    well done everyone this is what the community is about
     

    #12
    galenyip, puccellino and pa5t1s like this.
  13. rarog Lollipop Senior Moderator Jan 15, 2018


    #13
    keithgpowell, Sun90, eye842 and 5 others like this.
  14. xythiii Ice Cream Sandwich Jan 15, 2018

  15. izzykasha Jelly Bean Jan 15, 2018

    izzykasha, Jan 15, 2018 :
    Let's stop mud slinging, especially moderators that should know better, the fact is after much pushing from this great forum community today users affected are being contacted by oneplus customer services so they can gain all the facts

    Well done again to all for this fine work and if you have been affected you must let oneplus know

    Top job all including the moderators involved today to give this a massive push
     

    #15
  16. rarog Lollipop Senior Moderator Jan 15, 2018


    #16
    Sun90, drmartin, eye842 and 5 others like this.
  17. Nidhin Raj KitKat Jan 15, 2018

  18. G_jonny_cool_nxOr Ice Cream Sandwich Jan 15, 2018

    G_jonny_cool_nxOr, Jan 15, 2018 :
    Lol they give the news perfectly and in detail
     

    #18
  19. rarog Lollipop Senior Moderator Jan 15, 2018

    rarog, Jan 15, 2018 :
    No, they don't.
    Fidus never states anything about a clear case, they mostly glued some theoretical information together, did incorrect statements but never made any conclusive proving statement.

    That's not the definitive problem, it can be, but it doesn't have to be. And Fidus also claims that they didn't find any malicious JavaScript code when they looked at the site, so the statement, that "problems occurs because" is wrong.

    Incomplete and incorrect statement. Any hacked website is insecure, not just Magento. The mentioned blog rather gives an example and proof of concept for Magento store. For payment method code, that I've never seen used in the wild, because it was never secure.
     

    #19
    lakesh.reddy, Sun90, eye842 and 7 others like this.
  20. G_jonny_cool_nxOr Ice Cream Sandwich Jan 15, 2018


    #20
    Nante74 likes this.