Update: OnePlus has responded to the credit card fraud story saying that the company is investigating the issue. In a forum post, a OnePlus staff member listed the problem in detail, explaining how users can take necessary precautions to prevent unauthorised transactions. The forum post from OnePlus says, "Your card info is never processed or saved on our website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers." The company has also listed FAQs regarding the issue. Those concerned can go and read them here.
A number of OnePlus users are reporting fraudulent transactions on their credit cards after making purchases through the official OnePlus website. Some OnePlus customers who used their credit cards to buy products from the official website reported that they noticed multiple unauthorised transactions on their cards.
A poll conducted on the OnePlus forum shows that credit card fraud occurred on purchases made on the OnePlus website in the past 2 months. 51 voters in the poll said that they made purchases using OnePlus’ website in the past 2 months, after which unauthorised transactions started popping up in their statements.
“I purchased two phones with two different credit cards, first on 11-26-17 and second on 11-28-17. Yesterday I was notified on one of the credit cards of suspected fraudulent activity, I logged onto credit card site and verified that there were several transactions that I did not make,” a OnePlus forum member wrote.
“my brother and I, both purchased our phones in late december 2017. Today, early morning, both of us got fraudulent credit card charges in EUR and USD. Lucky enough, they were rejected by our local banks,” reported another OnePlus forum member.
People are not only reporting the credit card fraud on the OnePlus forums, users on Reddit have also taken cognisance of the matter and have taken to the platform to report the issue. A thread titled, “Oneplus' payment system might have been compromised, customers reporting credit card fraud,” popped up on Reddit yesterday.
“Woke up to $1600 in attempted charges so it's safe to say I was a part of this, phones great though…,” a Reddit user wrote.
While a OnePlus community moderator did promise to take up the issue with OnePlus' customer service team, no official statement has been made by the company yet.
A report by TelecomTalk states that OnePlus’ payments page is hosted On-Site and is not an iFrame by a third-party payment processor, making all payment details entered by users hackable through the OnePlus website. The publication approached a security firm called Fidus which said, “OnePlus do not appear to be PCI compliant, nor do they mention this anywhere on the website.”
The Payment Card Industry Data Security Standard (PCI DSS) is applicable to any company accepting credit card transactions. The PCI Security Standards Council has set 12 security requirements that are essential to become complaint to the security standard.