Last week OnePlus reached out to its customers to inform them of a malicious attack that was put into the code of their payment page.
“Customers were informed Friday morning via email, which explained credit card numbers, expiration dates and security codes were all pilfered from customers who were entering their data into the oneplus.net website from mid-November through to January 11. That’s all the information anyone needs to start raiding bank accounts. Anyone who had saved credit card information or used PayPal shouldn’t have been affected, the company said.”
How did this happen? And how can we learn from this attack to better protect our schools, businesses & medical institutions?
“After an investigation and a temporary block enforced on credit card payments, OnePlus determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered.”
The payment page that OnePlus was using was not PCI compliant which allowed the hackers to infiltrate customers sensitive data, gaining access to credit card numbers, security codes, billing addresses, and even customer’s names.
“[OnePlus] should have been redirecting to the payment processors own payment page as that environment will be fully PCI [Payment Card Industry] compliant,” Fidus hacker and founder Andrew Mabbitt said. The PCI Security Standards Council sets minimum bars to reach for payment processors in protecting data.”
Ensuring your payment processing page and partner is operating as PCI Compliant is one step to improving the security of your customer’s data. Another way is to encrypt the data through Point-to-Point Encryption, or P2PE.
P2PE ensures that your customer’s data becomes encrypted immediately when the card is swiped, inserted, or typed, the encrypted data is stored within the processor’s network. The encrypted data is then turned into a “token” that is stored in the merchant’s network. The token communicates with the processor’s encrypted data to contact the bank and approve the charge.
If the data on your merchant network became compromised, or if for some reason a hacker got into your merchant system and got ahold of those tokens that were created from the original transaction, the information would be useless to the hacker.
If you are questioning if your payment page is PCI Compliant, most likely it is not. Connect with Arrow Payments to review your payment processing options and gain insight into your businesses payment security vulnerabilities before you experience a data breach and the costs that go along with a breach.
Here to help,
Arrow Payments
