The Chinese Smartphone manufacturer OnePlus recently suffered a breached which compromised credit card information of up to 40,000 customers.
On January 19, OnePlus revealed about the attack in a blog post. The post describes about a malicious script that was injected into the company’s website payment page after the hackers successfully penetrated one its systems.
The website was under the attack from mid of November 2017 to January 11, 2018. The company took notice of it when many customers were complaining about the recent fraudulent attempts made on their credit cards after they made a purchase on the OnePlus website.
The cyber security company Fidus Information Security also investigated and reported about some security failings on the website. After a week pf hundreds of customer reported fraud the OnePlus confirmed the attack and enforced a temporary block on credit card payments on their website.
According to OnePlus, hackers penetrated into one of the website’s server and inserted a malicious JavaScript code which sends the credit card number and other data to the hacker once it was entered.
The affected customers were informed on Friday morning via an email, which described about how the credit card numbers, expiry dates and security codes were all stolen from the customers who made a purchase on oneplus.net website from mid November through to January 11.
However, the customers who had saved and encrypted credit card information or used Paypal have not been affected by the attack.
Fidus Information Security hacker and founder Andrew Mabbitt told Forbes, OnePlus were “100% at fault here.” “The only way the loss of credit cards could have occurred was through a breach of the OnePlus website and the use of malicious JavaScript. They should have been redirecting to the payment processors own payment page as that environment will be fully PCI [Payment Card Industry] compliant,” he said.
OnePlus apologized to their customers for letting something like this happen. They felt painful for letting their customers down. The company is also offering free credit card monitoring to the affected customers and have promised to implement a more secure credit card payment method. It is also conducting an in-depth investigation and is informing law enforcement and data protection authorities across its operating regions.
The Breach attacks are getting common these days and many well-known websites have suffered through it. The most secure way to prevent credit card fraud is to utilize an OFF-SITE payment processor or the one which provides iFrame integration with checkout pages. Third-party payment providers have created PCI compliant sandboxes for the very purpose of securely taking card payments; use it.
The Whilst iFrame integration is a secure option which hosts the payment pages yourselves, it is vulnerable to JavaScript attacks. iFrame integration does, however, combat malicious code within Magento source code; such as Cc.php.
The companies should also regularly conduct a Penetrating test on their websites to get notified about any bugs and risks.