OnePlus Credit Card Hack

By   ISBuzz Team
Writer , Information Security Buzz | Jan 24, 2018 05:30 am PST

Following the news that OnePlus has confirmed that up to 40,000 customers have been affected by a data breach, IT security experts commented below.

Dan Panesar, VP EMEA at Certes Networks:

“OnePlus have confirmed that up to 40,000 customers have been affected by a data breach which saw hackers harvest users’ credit card details through a malicious script injected into the payment code page on their website back in November 2017.

This cybersecurity breach is another in a long line of incidents that show that organisations are not taking the protection of their customers’ financial data seriously. It certainly begs the questions why it was so easy for hackers inject code into the OnePlus website and why the breach took nearly two months to detect.

This highlights, yet again, both that responsibility for security is not centralised but fragmented across multiple silos and that security infrastructure remains unnecessarily complicated. Models have become more and more complex and dependent upon a huge array of disparate technology teams – from networking to cloud, application to management.  The result is a lack of consistency that creates gaping holes in the security infrastructure; holes that are being routinely breached by ever more sophisticated and motivated hackers.

Organisations need to bring their approach to security up to date as it is clear that the current security mindset is not working. Organisations need to think beyond the ‘protect’, ‘detect’, ‘react’ approach which sees hackers on average spend over 100 days syphoning of sensitive data from across compromised networks. Instead the model needs to include a step that limits the damage – ‘containment’.

The best way to achieve that is to adopt a ‘Zero Trust’ model and accept that access or ‘trust’ once within any part of the extended enterprise must be strictly limited. This approach, critically, decouples security from the complexity of the IT infrastructure and addresses user and application vulnerability.

Shift the focus from infrastructure to trust and it doesn’t matter how complex technology has become, or becomes in the future, the security model remains simple and hence both manageable and relevant.”

Tyler Moffitt, Senior Threat Research Analyst at Webroot:

“Enterprises should assume they have been or will be breached. The savvy consumer should also assume their financial accounts have been or will be compromised. The reality is that consumers must take steps to be warned when unauthorised transactions occur on their accounts. They should work with their financial institutions to set text and email alerts when transactions over a specified limit occur. Additionally, when online shopping, it is inherently more secure for consumers to use their PayPal accounts than enter their credit card data upon checkout – it is best practice to enter credit card information as rarely as possible. Most merchants have PayPal, Masterpass or Visa Checkout options available, which are more secure payment protocol alternatives.”