A malicious script was injected into payment page code, running intermittently for several months before being detected.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Hackers injected a script that harvested credit and debit card details from customers at OnePlus.net. Between November 2017 and January 2018 they were able to harvest 40,000 customer's card numbers.
- PayPal users were unaffected, which should serve as a reminder to anyone who shops online to use a payment service instead of their actual card or financial account numbers. —TechRepublic
Android phone manufacturer OnePlus has revealed that an attacker injected a script into one of its payment processing servers that resulted in the theft of the payment data of over 40,000 users.
The script injection is believed to have happened in mid November 2017, and it was removed from the server on January 11th. OnePlus warned in a forum post that anyone who used a credit or debit card on OnePlus.net during that period may have been affected, and that it had sent emails to all customers it believed affected.
OnePlus said the script was intermittently successful, so not all customers who used the site during the aforementioned time period had their card information stolen. The company recommends that all customers who used a credit card on OnePlus.net monitor their transactions or consider getting a new card.
One of the most important things to mention about this case is that PayPal users weren't affected—only those who entered card information on the website itself were at risk. This serves as yet another reminder to place as many layers as possible between your credit/debit card (and account details) and ecommerce websites as possible.
Protecting your financial information on the internet
Individuals and businesses who use credit cards for transactions should avoid giving the card number to websites, trusted or otherwise, when shopping online. Legitimate ecommerce retailers can still fall prey to script injections, and personal computers can be compromised as well.
The easiest way to avoid card or account fraud is to use a service like PayPal, Google Wallet, Apple Pay, or any other service that acts as an intermediary for your financial details. Of course, not all payment platforms are supported everywhere, so signing up for more than one may be necessary.
SEE: Network security policy (Tech Pro Research)
There are also services like Privacy.com. As covered previously on TechRepublic, Privacy.com is a website with an accompanying mobile app that creates dummy credit card numbers that are linked to your account and can be terminated at any time.
Privacy.com cards can be used for a single transaction or multiple ones, can have small limits set on them, can be locked to a single merchant, and can be used to pay for subscription services like Netflix. In the event of a breach, you can simply terminate the card and not have to worry about your actual account being compromised.
There are always concessions to make when it comes to shopping online—even Privacy.com could be breached, for instance. There's no perfect system, and cybercriminals continually find new ways to bypass encryption and enhanced security.
Short of swearing off ecommerce altogether, all you can do is layer your defenses as much as possible.
- How to set up two-factor authentication for your favorite platforms and services (free PDF) (TechRepublic)
- Four startups that are poised to revolutionize e-commerce in 2018 (ZDNet)
- OnePlus phones have 2 factory-installed backdoors that could steal data or root your device (TechRepublic)
- Biometrics centrepiece of new Visa security roadmap (ZDNet)
- 5 mobile security precautions nobody should ignore (TechRepublic)