Cyber security firm Fidus recently discovered that popular Chinese smartphone company OnePlus was one of the latest victims of a major hacking set up. A large group of OnePlus users complained about suspicious activity on their credit cards, voicing their concerns on OnePlus forums and Reddit.
Fidus initially investigated OnePlus when a forum post published by a OnePlus customer described their concerns. Two of of their credit cards had been compromised, with OnePlus being the only link between the cards. They found that the Magento-hosted OnePlus website used a payment gateway that was hosted on-site, exposing them to potential attacks.
At the time of the investigation, OnePlus halted on-site payments, but continued to accept Paypal payments.
OnePlus Confirms Speculation
As of last week, OnePlus hadn’t officially confirmed that they were hacked, but stated that they were investigating the claims made by many of its customers. Over the weekend, however, they confirmed the hack of their site.
As suspected, a malicious code was inserted into the website’s payment gateway. OnePlus sent emails to the 40,000 customers they believe may have been affected by the hack.
OnePlus released a statement on its forum, saying, “We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”
The Danger of On-Site Payment Processing
OnePlus is a solid example of what can happen when you don’t choose the right payment gateway and/or don’t follow best safety practices for online purchasing. When a payment gateway is hosted on-site, it can lead to many problems. Every bit of data entered flows through the host site for just a moment–however fleeting–and during that moment, the data can be intercepted by a hacker. Upon submission, it’s sent to a third-party payment processor, but that small window of opportunity can capture sensitive information, like credit card details.
Choosing the right payment gateway and setup can help secure businesses and customers. These payment processors are in charge of taking care of all the tricky details behind payment submission forms, ensuring safety across the board. They help webmasters better meet standards for data security online and handle all encryption needs.
Different types of payment gateways are equipped with different features, such as the ability to accept multiple payment types and integrate with various platforms. Issues arise when business owners fail to understand how different gateways work, and where safety can be compromised.
The Magento Vulnerability
Using Magento, as opposed to another ecommerce platform like WooCommerce or Shopify, has a track record of opening up webmasters to vulnerabilities. According to one blog post published by Scuri, “As with most Magento sites, this site had a checkout form that requests customers’ credit card details. Behind the scenes, Magento encrypts this data and saves it or sends it to a payment gateway to complete the transaction.”
This means that during the fleeting moment described earlier, Magento is in charge of handling security, rather than the payment processor, which can create issues as demonstrated by OnePlus.
A hack on your website can have disastrous consequences. The United States National Security Alliance found that 60% of small businesses that fall victim to an online attack are out of business within six months. On average, they’ll have to pay nearly $700,000 to clean up a hack mess. This is exactly what happened to Efficient Services Escrow Group when a hack siphoned over $1 million from the company’s escrow accounts to China.
It can also cost you your business reputation. Businesses that fail to keep customers safe will suffer in terms of revenue. Existing customers will think twice before making a purchase again, and potential customers will likely move on to your competitors and spare the chances.
A good reputation is such a reliable determination of a business’s products and services because it’s the one thing that no business–no matter how profitable–can purchase. Surveys and studies reflect the power of positive reputation, which is critical for operations. Your business reputation affects all aspects of your end-to-end funnel. It follows everywhere you go and everything you do: this means, not only does it affect your target audience, but facilitates growth across all your business relationships.