[Closed] CRC security issues?

I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack

I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack

Believe you me the hackers out there are REALLY good. I have spent years developing very secure sites working with sensitive information and we wrote layers of security traps to counter SQL injection. We also employed white hats to attack the site and find any flaws that we may have left in. They were able to do some really scary stuff and I learnt all about blind SQL injection as a way of enumerating database information. This was a result of a line line mistake by one of our devs. That is all it takes, one simple coding assumption and you have had it.

We have a Dev here at work who has a strong interest in web security - he pen tests his own work sites, to see how far he can get from 'the other side'. It's a fascinating art.

About 5% of the time, he can get in - so he re-writes the code, and tests it again.

I would not be surprised if Export Technologies IRP software had numerous security holes/bugs, yet to be discovered by their own team.

Doesn't using stored procedures for all db access, rudimentary user input checking plus having a decent security object security setup on your database eliminate SQL injection attacks?

sheffield43: no, it mitigates against them

All this so soon after the antichainreaction website springs up, suspicious eh - I mean there is a spanish connection with some of the rail tickets being bought.

*please be aware this post is not at all serious, there may be an attempt at subtle humour.*

CRC turned over £77 million in 2009. This is information in the public domain.

I have no idea how accurate the following is so it's totally open to debate but we can play with some of the numbers and use them to narrow down to the unknowns. Then we can play plug in made up numbers and see if the answers meet our expectations.

Around £6 million a month in orders
Average order value say £25... or £50... or £100 ? Lets take these 3 and see what happens.

6 million/£25 = 240,000 orders a month.
@ £50 = 120,000 orders
@ £100 = 60,000 orders

0.1% of 240,000 = 240
0.1% of 120,000 = 120
0.1 % of 60,000 = 60

We have on this site 158 complaints. That sits between average order values of £25 - £50 but we can't assume that those 158 are all the complaints. There will undoubtedly be more.

The largest unknown is the average CRC order. I could be all over the place with my guess. Maybe a straw poll of readers last purchase values will help us narrow that down to a more accurate figure. Anyway, I think the method is sound if not all the figures within it. The other unknown is how representative our 158 complaints are of the total complaints. These two figures are open to debate and supposition.

well make that 159!

just joined to say that i've been done as well. ordered a £6.99 tyre on the 8th then had a transaction on the 12th (showed up on the 15th) for £187.02 for some posh fruit drink from america!
natwest refunded me that day & know about the CRC frauds. phoned CRC who wont admit it is something to do with them (yet) but they are investigating

 

no, it mitigates against them

So is it impossible to implement a secure payment portal that's invunerable to SQL injection attacks (specifically)?

while everyone is discussing 0.1% or whatever it equates to, in terms of CRC client numbers, which is agreed that if you are servicing 5-10,000 orders a day, on an estimated £90-100m pound annual turnover, is 'minimal,' but has anyone simply added up the various defrauded values up in total from this forum? any forum?

That may focus the mindset of the subdued cycling media ?
It's often reported fairly quick when CRC were the victims of various thefts...

http://www.chainreactioncycles.com/News.aspx?NewsID=1532
http://www.singletrackworld.com/2011/02/nigel-page-has-seven-bikes-stolen/

Forgive the criticism, but card fraud, credit, debit or however produces a victim, whether thats CRC, the customers, or collectively, all of the shoppers who ultimately end up paying for the crime by increased costs at all levels.

(unsure whether debit cards users, are generally protected/notified as to the rights of credit card users?)

Cycle Outlet falls victim/suffers credit fraud of 'x pounds' amount may have more of an 'impact' in capturing the focus of this thread, rather than a standardised line 'a minute percentage of our daily customers relative to our large sales suffered an inconvenience' Meaningless insulting corporate drivel.

So is it impossible to implement a secure payment portal that's invunerable to SQL injection attacks (specifically)?

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection. But if your procedures are crap then vulnerabilities will arise, I can show you examples if you like of poor coding that will lead to this. I've also seen security classes that have introduced vulnerabilities and all sorts of other tosh. The number of times I've heard people say "Oh..we are safe from that because we've implemented <insert fashionable security package X>" ..when the safest path to a properly secure site is to design security in ground up AND constantly review and attack the source code.

Got a mention in El Reg today.

http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection

I just saw that Cougar, its news now, personally I've not had any problems, but then I've not bought from CRC for about a year and a half, only because I'm skint though 😀

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection. But if your procedures are crap then vulnerabilities will arise, I can show you examples if you like of poor coding that will lead to this. I've also seen security classes that have introduced vulnerabilities and all sorts of other tosh. The number of times I've heard people say "Oh..we are safe from that because we've implemented <insert fashionable security package X>" ..when the safest path to a properly secure site is to design security in ground up AND constantly review and attack the source code.

Bingo. We run a pretty busy website with hundreds of millions of monthly clicks. We get attacked a lot so we try to stay on top of things. We have many layers of security, but all it takes is one tiny mistake to open up a hole.

So basically you have to try to stay on top of it, and keep maintaining quality. Unfortunately the one who actually wrote the code might easily not notice it. Automated tools might not notice it, and often cost 10000€ per year per computer. maintaining a team of people just for that is also quite expensive.

I would imagine cases like this will force them to reevaluate how they handle their security. Generally security is seen purely as an expense. You talk about risks, but they are hard to quantify. The only clear thing is that your developers will be doing something where the benefits (from the managements point of view) are not as clear as when they make a new great feature which will directly affect sales. However when a risk materializes it actually wakes people up, and forces management to divert development effort towards increasing security.

I need to order something, can't get it from anywhere else, so is it safe to order from CRC? I don't have a Paypal account.

Confused C_G

C_G
No, there has been nothing at all to suggest (let alone confirm) that it is safe <EDIT> with a credit/debit card </EDIT>.
Paypal does appear to be safe and doesn't take long to set up. I'd suggest you go down that route if you have an urgent need for bits.

<EDIT> I've NOT been stung, bought loads, including during suspect period, but always through Paypal </EDIT>

cinnamon_girl - Member
I need to order something, can't get it from anywhere else, so is it safe to order from CRC? I don't have a Paypal account.

Confused C_G

Yes, it's safe - if you don't mind paying for a hotel in France and some O2 Top-ups.

Suddenly CRC doesn't look so cheap....

I don't think you need a PP account to use it with a retailer

I'd stick with PP for now TBH

Yes you can use PP without an account - so you can do that to avoid using their credit card system.

Select Paypal as your payment option at Checkout... you are then taken to the paypal website to login to your Paypal Account.. Howvere if you don;t have an account there is also a 'Don't have a Paypal Account?' link on that page. Click that and it will take you to a page where you can use a card for payment. Your card details will then be handled exclusively by Paypal and not the retailer.

There is also a "bank transfer" option. Was that always there?

keep checking your credit card statements.

It sounds like the details have been sold on far and wide and are still being attempted.

Thanks very much for helpful replies. 🙂

Some of you guys may be baffled by the geekspeak in some of the more searching postings here. All you need to know about SQL injection attacks is [url= http://xkcd.com/327/ ]here[/url].

I'm too scared to click on that incase my sql gets injected.

harman_mogul - thanks for that. That's another evening wasted then 😥

Yes, it's safe - if you don't mind paying for a hotel in France and some O2 Top-ups.

Suddenly CRC doesn't look so cheap....

lol, so true

PayPal is refusing to let me pay at ChainReaction - though it's fine elsewhere...

Been stung here too. Order placed last Sunday phone call from my CC company the friday after. Again some O2 top ups in Slough. Reluctant to ever use CRC again.

Plus now signing up with paypal. Though one question I did look but do PP charge for transactions? I saw a charge of 3.4% but not sure if that was for buying from online retailers.

Just read this, perhaps it is not totally Chain Reaction Cycles fault....

[url= http://www.bl0g.co.uk/o2-uk-ltd-prepay-slough-mobile-phone-scam.html ]perhaps it is not CRC fault[/url]

PS sorry if this has been posted before.

I was wondering something along the same lines, ie. if it may not actually be CRC but we think it is because we have been scammed AND have used CRC. The problem being that the stats are heavily skewed because if you are on this forum there is a good chance that you have actually used CRC recently so the CRC link is from being a forum reader and not from them being the source of the scam?

No its CRC, they have admitted it to me on the phone.

blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

I'd rather have my card cloned

Hmmmm an interesting one. I ordered something yesterday from CRC and used the Paypal credit card checkout, all went through. Last night I tried to order online from a well-known music/dvd etc retailer and my card was rejected.

This morning I received a call from my card provider to say that it had been flagged up (I have used this music retailer before with this card) and there had been some fraudulent activity involving them. My card has therefore been cancelled and am awaiting a new one. 🙁

I ordered something yesterday from CRC

I won't be using CRC for the forseeable, even if I could pay by sending them gold plated wood cuttings.

allthepies - I did ask the question yesterday as I don't have a Paypal account and was advised of this alternative method.

Thing is, we had this with another equally well-known retailer a couple of years ago.

£292 of my hard-earned bought tickets on french railway!! luckydog no longer it seems...although HSBC refunded whilst they investigate. Bought from CRC day before...

Janesy - Member
blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

Thanks for informing all of us. We can now only hope that the culprit/s are caught.

I believe O2 have updated their systems - someone earlier in the thread mentioned you need house number or postcode as well. Not being an O2 user I can't confirm this...

However, I can use the internet. From [url= http://www.o2.co.uk/webtopup/helpwithtoppingup ]their site[/url]

There is no registration process involved all you need is the mobile number you wish to Top-Up and a valid credit or debit card to follow our easy to use 3 Step process.

Step 1
Just enter the mobile number you wish to Top-Up, the credit/debit card type and the amount you want to Top-Up by.

Step 2
Enter your credit/debit card details and registered billing address.

Step 3
Confirm your Top-Up request.

So billing address is needed... therefore random card generation won't work.

Thanks for clarifying that beej. Now I wonder if that means 02 will be able to help catch the right people or if we have no hope. 🙁

I don't think O2 will be vaguely interested in chasing the culprits, wouldn't think the cops and banks will be either unless its a serious amount of cash.

beej, it only checks the numerics in the address and postcode.

well i got stung with this on tuesday while i was in turkey they topped there phone up the gits. had to cancel the card so no funds for duty free !! not impressed one bit.

gonna contact crc to cast my opinion.

My wife bought me a top from CRC at the end of Jan and 2 days later her email account went a bit hay-wire sending out random email to everyone in her address book.

It has since stopped but is this just coincidence that it was 2 days after her CRC payment or could they be linked? Has this happened to anyone else that knows they have had their bank account copied too?

Her bank account doesn't appear to have been touched.

Bought brake pads on 8/3/11 two 15 quid o2 prepay out on 14/3/11.

Me too I'm afraid, new stem on the 1/3/11 and £15 O2 prepay Slough on the 10/3/11, card cancelled and I've set HSBC fraud onto CRC via this thread.

Seems now whenever i try to buy bike bits my card gets stopped. Right royal pain in the arse.

Seems to me that O2 has been named far too often for my liking, not much into CRC, the service is shit or has been for me.

However O2 have been named and shamed on countless websites in the past for shody operating practices.

I think at this point we can't rule out the possiblibty of them being part of the problem. All we can do is wait and hope more info will come forward and let us understand what is happening.

+1 .Just had my card cancelled by Egg because of 'suspicious activity' 🙁

Just found x2 £15 O2 Pre-pay Slough transactions on my account.
Card canelled.

hard luck Dan.

this thread must have qhat, 170 to 180 people that were defrauded on it now.

+1...just joined the club.....

apple online store usa tried to charge my card...transaction was blocked by the card company and card is now cancelled...last CRC order was just a few days before...
never had anything to do with apple stores or itunes...

+1 £1800 came off my card when I was on holiday! 👿

+1 just over £3k at John Lewis over the weekend just had "the call" from the credit company.

Are you reporting this to them?
It does seem as this is a long time issue - Thought CRC would of sorted this out by now.

Hmm.

I bought something from CRC last week (showing on my statement as processed on the 17th). I wonder if it's worth cancelling my card and getting it reissued...?

wonder if it's worth cancelling my card and getting it reissued...?

I wouldn't - if it does get compromised, the down time will be similar to cancelling now

Well, I was about to order some wheels and tyres, as Oz prices are silly, and noone else who does VAT-free and free delivery seems to do CK.

Bugger....

Has anyone had any issues with Paypal on CRC?

TBH, the card's old and knackered anyway, and the chip reads four out of five attempts. I don't really want the hassle, so I've just cancelled it.

I'm actually a bit surprised at how CRC are handling this. I mean, I appreciate that it can be difficult to ascertain root cause in situations like this; however, I'd have expected some sort of press statement on their website.

Is everyone who has had issues email CRC? After I read the article on the front page, I emailed them as requested. I wonder how many people who have had an issue have emailed compared to those who have. I wasn't going to bother till I saw the news item.

My other half found two O2 transactions on her card statement at the weekend. The card has been stopped, a new one is being issued and a fraud form is being sent for her to fill in.

But, she hasn't ordered anything from CRC since back in December, when she bought some Christmas presents for me. So, either this problem goes back to December or earlier or cases that look like they might be related to CRC business may have nothing to do with them.

I haven't contact CRC, but I have had 'the email' from them....so unless they've sent it to all recent customers I presume they have been contacted by my card provider....I'd expect my card provider to be chasing it, bottoming out fraud is part of their job as I see it.

Chuckling away to myself at the moment about their new advert (currently on facebook but I assume it will be in press shortly)
Lots of photos of riders (they asked facebook fans to send in pics to be featured) with the tagline "more than just our customers"
Unfortunate choice of words and timing on that one!!

Used my CC at CRC at the start of Feb, just had the call from the bank to say they've cancelled it due to an unauthorised attempt to use it.

Not really looking great for CRC is it?

Has anyone had any issues with Paypal on CRC?

I wrote an email to CRC...
but so far no answer..

and...I used my card only at CRC since I got it last year, so it is evident that the issue comes from CRC..at least in my case

will change to paypal for my next purchase...

+1.....10 days ago.CRC purchase.. Same O2 attempt, card cancelled.

Have many people had a phone call from CRC? I emailed them to advise I'd 'suffered' about a week back; yesterday a CRC fella left a message for me at home offering apologies and wishing to discuss. I guess they are trying to reclaim some goodwill from customers & I guess they've got a very long list of people to call!

^ Thats because they realised who you were from Sunday nights television. Its good some times to be in the public eye 😉 😀

Yesterday I purchased a chainring on CRC. 2 hours later barclaycard stopped my card after a suspicious transaction (which was fraud).

panda

when/where did you use it prior to that menmissespanda?

CRC transaction last week. CC stopped today 🙁

CRC still haven't fixed it.... 🙁

I hadn't used my CC for a month previous to that...

CRC refund on the 17th, Wandsworth council received payment for a parking fine on the 18th from my card whilst I was walking to Tesco's in Newcastle 🙁

2nd card done, at least this one was only £50 my credit card was done for £1500 the day after I bought something from CRC.

As holyhutzpa say's CRC still have issues

I'll stick with wiggle, plus the CRC website is stupidly slow...

I was done (2 O2 payments) and mentioned this back on the first few pages of this thread.

I sent a mail to CRC but have had no contact from them so I have just bought some nice new pricey Assos from Wiggle.

Not sure why some people have had contact and others not.

MM

Used CRC on 5th March..

£230 for Argos Mastercard taken out of my Halifax current account on the 19th.
This is the first time any of my cards have been compromised

Is it worth me mailing CRC..or don't they care??

Wiggle/Merlin for me in future

I just bought a chain ring using paypal, will I be OK?