Mobile phone vendor OnePlus announced on Jan. 19 that it was the victim of a security breach that exposed credit card information of up to 40,000 customers.
The admission that there was a data breach comes three days after OnePlus announced that it was temporarily disabling credit card payments on its website. OnePlus disabled the credit card payments on Jan. 16, after receiving reports from customers that they were seeing unknown credit card charges after buying something online from OnePlus.
"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus stated in an advisory on the breach.
The attack appears to had been ongoing from mid-November 2017 until Jan. 11, 2018, OnePlus said. According to the company, credit card information (card numbers, expiration dates and security codes) that was entered on the Oneplus.net site may have been compromised. Users who saved their credit card information on the site, as well as those who use PayPal, do not appear to be impacted by the breach, however.
OnePlus' investigation into the data breach found that a malicious script was operating intermittently on the Oneplus.net site. The script was able to capture data from end users' web browsers and then send that data to the attacker. According to OnePlus, it has now eliminated the immediate risk.
"We have quarantined the infected server and reinforced all relevant system structures," OnePlus stated.
What remains unclear is how the malicious script got onto the OnePlus server in the first place and why it wasn't caught by security technology. The company is now working with its technology providers as well as law enforcement to further investigate the security incident.
"We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit," OnePlus stated. "All these measures will help us prevent such incidents from happening in the future."
Chris Morales, head of security analytics at Vectra, said he is impressed with the expediency and thoroughness OnePlus is taking in providing its customers with a breach notification. That said, Morales noted that while it is unfortunate that the breach occurred, it is not at all surprising.
"This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation," Morales told eWEEK.
What Should End Users Do?
OnePlus recommends that its customers check their credit card statement and immediately report any unrecognized charges. The company will also be providing credit card monitoring services to impacted customers.
"Unfortunately, there is not much a consumer can do to prevent being victimized as part of a breach," Shawn Kanady, principal security consultant at security Trustwave, told eWEEK.
Kanady added that online shopping will always be risky for the consumer so it becomes more of an awareness and detection issue for the everyday shopper. In his view, the key is to understand the risk and set up some safeguards.
Among the online safeguards that Kanady recommends for online shoppers are the following:
- Set up text-based alerts on your bank/credit account for any transaction over a certain dollar amount. It could be $1.
- Set up accounts that are only used when shopping online. Segregating your accounts will prevent fraud on your high-value accounts like your checking account.
- Do not opt-in on saving your credit card information for later billing.
- Use prepaid cards or a PayPal account for online shopping, allowing for an extra layer between the attacker and your real accounts.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.