Security firm Fidus has revealed how OnePlus’ lack of PCI compliance and the company’s practice of hosting payment card details on-site is compromising credit card details of customers.
Hackers can inject malicious code to siphon credit card details of customers on OnePlus’ on-site payment page before such card details are encrypted.
Credit card users are often asked to ensure that they are punching in their card details on genuine websites of sellers so that their card details are not accessed by hackers or used by them to carry out unauthorised purchases. However, how will customers protect their data if a genuine website starts featuring glaring security loopholes?
Researchers at security firm Fidus recently revealed how OnePlus’ checkout page that accepts payments from visitors featured security vulnerabilities due to PCI non-compliance as well as for not using iFrame by third-party payment processors. These vulnerabilities could enable hackers to intercept financial details of customers before they could be encrypted.
According to PCI requirements, website owners are required to use iFrames by third-party payment processors as such pages are encrypted and any details added by customers cannot be intercepted by hackers. However, after reports of several OnePlus customers complaining about their credit card details being accessed by third parties emerged, the researchers decided to investigate.
‘Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.
‘Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,’ they noted.
According to the researchers, this fact has busted OnePlus’ claim that they do not handle any card payments, and also exposes the company for not stating on their website that they are not PCI compliant.
Considering that OnePlus’ checkout pages are vulnerable to such hacks, you must not punch in your card details as they are likely to be accessed and misused by third parties. The researchers have also advised that users should conduct penetration testing against e-commerce websites to highlight security risks.
A number of studies over the years have revealed how both consumers and retailers have demonstrated a lack of awareness when it comes to the online security of their financial information. A study by WhiteHat Security revealed that more than a quarter of UK and US consumers would complete a heavily discounted purchase before checking if the website is secure.
The surveyors also found that retailers also exhibit several risky behaviours, with security vulnerabilities on their sites that could be considered serious in comparison to the online risks faced by other industries.
According to the researchers, the most commonly occurring “critical vulnerability classes” facing the retail industry were insufficient transport layer protection, cross-site scripting, information leakage, brute force attacks and cross-site request forgery.