[Closed] CRC security issues?

be interesting to see if this makes a dent in their market hold, I have got sick of visiting CRC to find the headline bargain price only applies to one odd size, it totally distorts google shopping etc. They are no longer my default supplier and it looks like others are having aimilar issues. How many non-forum users have had their cards done and not linked it to CRC, though?

Colleague of my wife's card was stopped today due to fraudulent activity. Might just be coincidence but he shopped at CRC last week...

Seems it is [i]still[/i] going on! 🙄

My card has been cancelled. Someone had the card number and tried to do a change of address and new pin number for it! The bank considered them to be crooks and cancelled my card for me. The fraud team doesn't think that anything fraudulent has been taken from the card. There are Wiggle transactions, amazon transactions and CRC transactions. Could be a coincidence?

Well that's just great. I haven't been able to ride for ages, the first bike parts I buy in years(for a mate) and I get had.

I don't have an O2 phone and I'm certainly not in Slough.

Looks like I have the same problem.

I have made 5 purchases this year from CRC.
Just got a call from MBNA. Vodaphone top ups, multiple £20 trying to be taken from my credit card.
Thats the second credit card I've had this happen to recently.

Other than the worring fraud this is a major pain for me as I am working away from home alot and it takes a while for new cards to get sent out and your online access reset.

Talking to the fraud department of MBNA they said that it could take up to 18 months before attempts are made to take these topups from your details. In other words your details could have been taken and be dormant for a long time.

interesting to see another on line retailer's handling of a similar (although not payment detail related) situation:

http://www.bbc.co.uk/news/technology-12819330

I don't like this at all, who ever is behind this is very organised and effective, this will force a lot of business paypals way.

If this happens to more large companies in high profile cases, certain individuals stand to make a lot of money.

Best thing is to simply watch what happens and if you don't have paypal and it's secure, set it up!

Anyone else?

Me too, £800 Tesco.com and 2 lots of £15 on o2, plus £250 to some Paypal account. 9 days after CRC purchase no other action on the card.

play.com have shown crc the way when it comes to handling a security breach. They immediately sent an email warning of the issue and giving details of exactly what had happened. The only info I have received from crc is 1 vague email sent over a week after they were first aware of the issue.

Have they resolved the problem? Is it safe to shop there again? I have no idea so I've just started shopping at Wiggle instead.

I'm not sure why these retailers are holding card information anyway. PCI-DSS is the security standard for merchants and is a reasonably onerous and painful process. Best way for online is to include a payment gateway to a provider that has to deal with all these issues - yes you retain customer info but nothing to do with payments. That's what I always recommend to my clients as while its not bargain basement it does mean the risk is moved to somewhere else which is always nice 😉

I'm not sure why these retailers are holding card information anyway.

It wasn't even an option for us when we set up our site 15months ago.

Simply not allowed to see details and being a scottish company we are not allowed to store them either if we were.

WorldPay deal with all that number stuff and we get a thumbs up or down and an address confirmation to send the goods ordered. Seems pretty safe all in.

well, Play.com have done a reasonable job but not in a terribly timely manner;

[i]We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded.[/i]

So they knew for 3 months there'd been a security issue and hoped it hadn't affected them.

starsh78 - Member

I'll stick with wiggle,

Babyjack - Member

................Is it worth me mailing CRC..or don't they care??

Wiggle/Merlin for me in future

stuboy2uk - Member

Have they resolved the problem? Is it safe to shop there again? I have no idea so I've just started shopping at Wiggle instead.

You guys do realise - of course - that Wiggle were the centre of similar allegations last time something like this surfaced don't you?

[i]Wiggle were the centre of similar allegations [/i]

and frankly did a worse job of managing the situation than CRC.

Wiggle's 'PR' seemed to consist entirely of saying 'not us' and waving lawyers at sites where anyone posted anything to the contrary.

To CRC's credit, they've not shut this thread, or others like it, down.

I wasn't aware of that.

*Goes back to CRC*

No public update from CRC since 17 March? Nothing on their website that I can see.

thebikechain - we use WorldPay as well - seems like a good option.

Maybe it will all turn full circle, and we'll start visiting those buildings in our towns called shops.

I used crc right after this thread started (hadn't read it) and so far touch wood nothing dodgy 'appears' to happening with my bank account. I hope I haven't spoken too soon 😯

Hi Folks,

Since our last communication, we have continued to carry out a full forensic investigation following recent reports and concerns from our customers experiencing credit card fraud after placing an order with CRC.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

Recent customers of CRC may find that, as a precaution, their credit card company will issue a new card. Be assured that if this does occur it does not indicate that your details have been compromised.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

If you have further enquiries about this issue please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

Thanks for that Michael, the explanation is appreciated

Can you go into more detail about this man in the middle attack?

I've had a fraud attempt on my card. Yes I have used it to buy from CRC (early March, I think was the last time), they attempted to buy something off ebay with it. It's buggered up my 3DS pre-order 🙁

I haven't read all 21 pages, so apologies if I'm rehashing something that has already been covered.
It seems CRC have conceded that their systems have been compromised. So, why is the first I hear about this a call from my Bank's fraud prevention dept? Shouldn't CRC to warning the "small proportion of recent CRC customers" that they should be being extra vigilant for any fraudulent activity with their credit card?

CRC will need to go that extra mile if they are to regain my trust. There are plenty of alternative places I can shop.

Let's hope the security experts have crawled all over the site looking for further weaknesses. I expect they are very expensive, but clearly worth it.

Seems to me that CRC is behaving very properly and I for one really appreciate them posting updates on here.

need to bring their prices back down again eh 🙂

started looking elsewhere now,

I didn't get hit as I use paypal with CRC but I really do appreciate CRC's latest response which seems pretty honest - Good on you and a lesson in how much better it is to do this rather than deny, deny, deny as per the other big online retailer mentioned just above.

Any online retailer can be hit - the fact is there's no such thing as totally secure - and I hope that this episode now means that CRC will be taking this even more seriously than hopefully they did already. It would be good to know what measures (organisation, process, etc rather than specific technical things) are being taken to try and minimise the risk of it happening again.

Whenever they say forensics i always think the computer guys will be wearing those white suits...

Good to see they admitted there was a problem, rather than just deny it. Shame i have no money to buy anything at the mo.

A discount voucher for those of us affected would be nice, seeing at is was such a low number of us 😉

I'm not happy at all with that explanation. I want more details about how card data was obtained and what measures have now been put in place to prevent reoccurance before I trust crc with my card again.

I think what Michael has said is fine - there was a problem, it's resolved and they're keeping an eye on it. Fair play to CRC for not supressing the whole thing and, in time, admitting there was a problem and now confirming it's resolved.

The bloke from their software house who started blaming the victims needs ot be fired, though.

Any expectation that someones goign to publish full details of how their site was hacked is pie int he sky - anyone using the same software is goign to be equally as vulnerable and there's nothign to be gained by detailing what steps have been taken - it only gives any future hackers something to work with.

clubber - Member
Any online retailer can be hit - the fact is there's no such thing as totally secure -

Does this mean it ok to visit 'dodgy sites' now they are not to blame?

Yeah, like that was going to stop you 😉

Card cancelled as a matter of course...
May or may not be real, but I'm happy to ditch the card I used on their site in the past month and get a new one - good risk aversion.

Interestingly I want to buy a load more kit from the site. Perhaps paypal is the way to go...

NZCOL has it.
Not all organisations can hand off CC data (we don't in the main part), but I can testify to PCI-DSS being pretty thorough. We adhere to it, and are audited on it regularly.
And whilst it won't stop your min-wage person stealing the odd card details it does a credible job of preventing bulk theft (as it's designed to).
I wonder if CRC is PCI Compliant? Anyone asked?

[IMG] [/IMG]

Nothing like a well placed ad 😀

That's for the fraudsters...

Won't name names, they'll be reading this...

But let my bank know of this thread (post cancelling my card as above) and risk, got a phone call back to say thanks and being handed over to CC fraud dept.
Nice warm feeling at mo for my bank. 😀

21st march £648.27 debited to flight centre in london a week after a transaction from CRC 👿 . Not what i wanted to wake up to in the morning.

DIrty thieving gypsy scumballs

How do you know they're gypsies?

Unwashed, maybe. Thieving, definitely. Scumballs, certainly. But I'm not quite sure how you can ascertain their race from these factors 🙄

Good to see CRC using modern media to address its image / problem.

Im happy to use them (Paypal to be safe).

Compared to others, they seemed to handle the crisis pretty well.

Dear Mark resident grumpy can I be the first of many to say 'Nar Na Na Nar Na.... told you!! 😳 😉

I'll get my coat!

Just kidding, good moderating of a tricky situation 8)

Pmsl

Michael Cowan as I suggested to that nice lady that rang me up, please please can you use verified by visa?

21st march £648.27 debited to flight centre in london a week after a transaction from CRC

Can you find the flight details and go and wait for them with a couple of hired goons?!

zokes - Member

DIrty thieving gypsy scumballs

How do you know they're gypsies?

Unwashed, maybe. Thieving, definitely. Scumballs, certainly. But I'm not quite sure how you can ascertain their race from these factors

Gypsys are not a 'race'...

I posted a comment in this thread this morning but it appears to have been removed.

anyway it said something along the lines off, "Maybe the CRC IT guy, who slagged us all off and blamed everything on us because we were all downloading p0rn, would like to apologise"

someone gonna delete my post again?

darrell - I suspect you've bene the subject of forum crankiness rather than moderation - the post I made last night saying that the supplier (he's not a CRC member of staff) who blamed everyone else should be, errm, talked to is still there.

hopefully right. but it would still be satisfying for us to get an apology from this person

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected

[quote=crccustomersupport]we are confident that we have fully addressed any weakness in our infrastructure.

Don't be so cocky...

Now word has got out that you actually hold CC details on-site, expect more attacks.

There is [b]always[/b] someone smarter than your IT department.

Very poor PR handling of the situation too - you have lost the confidence in many many customers, who no doubt will have jumped ship by now.

[i]Now word has got out that you actually hold CC details on-site[/i]

Do they?

The fact that stuff was being captured in real time would tend to argue that data was not being stored locally?

WOW CRC just gave me a very very nice voucher to use on my return visit!

WOW CRC just gave me a very very nice voucher to use on my return visit!

Me too.

wwaswas - Member
>Now word has got out that you actually hold CC details on-site

Do they?

The fact that stuff was being captured in real time would tend to argue that data was not being stored locally?

WOW CRC just gave me a very very nice voucher to use on my return visit!

Got the same one, a bit of faith has been restored.

Details?

Details?

Basically what they have posted on here but with an added bonus of £30 off when you next make an order.

Sorry for the confusion - by 'on site' I mean, they get passed through CRC's IT infrastructure, even if it's only a temporary stop over. This still allows an angle of attack.

Who knows, CRC might completely outsource their payment to a 3rd party landing page, so no CC details are actually going through their infrastructure...

Recently, Play.com emailed customers to say their 3rd party email system (Silverpop) had been compromised. They were quick to state it was a 3rd party issue, not their own infrastructure.

£30 - nice! Almost wish I'd got done..

I'm relatively happy, I've got thirty pounds off my next order.

Unfortunately I've been telling myself no more CRC - because I had hoped they would be more proactive contacting potential victims. Although I can understand why they didn't..........

Think I'll wait a few weeks to let other people be the guinea pigs.

When did those vouchers come through? I also got done, but haven't had one yet!

I've got the email with the voucher too, arrived in my inbox 50 minutes ago.
It's a nice gesture. CRC seemed to start reacting to this problem slowly but appear to have dealt with the problem professionally now, let's hope the site stays safe.

Tom83 did you contact them about getting done?

Now watch for a flood of emails to crc....'I got done too, I got done too!' 😉

They would seem to know who is affected, as I never contacted CRC directly but they have contacted me. So unless they used this thread, and checked profiles to get emails (which is possible) their system analysis must have revealed who may have had a problem with their site.

well i for one dont care about the 30 quid voucher. The hassle and inconvenience of having my card replaced and the pi55 poor PR means that i will take my business elsewhere. And as i live in Norway ordering from Bike24.de wont take any longer than waiting for CRC - and their service in recent months has been very slow anyway

I was an relatively early poster having had my card done a few weeks ago. Bank called me, all cancelled, sorted and new card a week later. I emailed CRC, got a decent reply, followed up by a phonecall end of last week. Also just received the £30 voucher. All in I can't complain. My card has been done probably 3 times in the past 5 yrs and this is the first I have had an apology and a goodwill gesture. That said previous frauds not neccassarily so easily attributable to one source.....although there was a Wiggle rumour I recall....

Well that was useful.. my bottom bracket died last night and a new xt one just happens to cost £30!!

£30 voucher here too; hadn't contacted them; hadn't posted about it; they know who's been done.

agree with iain, i've been done about 3 times in the past and this is the fisrt goodwill gesture i've seen and from my POV, they've hadnled it pretty well; i've used them for the last 5 years and have never had any other problem, and when i have spoken to them, they've been nothing but helpful so will continue to use them.

Gypsys are not a 'race'...

Care to define 'race' then?

i don't know whether to trust the 30 quid voucher email i got!!

Just ordered some new Mace shorts thanks CRC. £50 down to £28 and now free. Sweet.

zokes - Member

Gypsys are not a 'race'...

Care to define 'race' then?

Have a read.. 🙄

http://en.wikipedia.org/wiki/Race_(classification_of_humans)

Toons - I did email them, this was before they set up dedicated line etc. Might be worth sending them a gentle reminder nudge!

I got done, and posted here...no voucher tho! 😥

£30 voucher here too, and i'll most certainly be using them again. I'd like for them to tell me exactly how they knew I was one of the people who'd been affected?? Not sure if it's from here, via MBNA fraud or is it that they are giving the vouchers to everyone who had bought from them over the past month or two?

Check your junk mail. My email came through as junk-nearly binned it too as it's not from an address I've saved as CRC correspondance.

agree with iain, i've been done about 3 times in the past and this is the fisrt goodwill gesture i've seen and from my POV, they've hadnled it pretty well; i've used them for the last 5 years and have never had any other problem, and when i have spoken to them, they've been nothing but helpful so will continue to use them.

Been using them since '04 and never had any problems. I've been done on a card and never had emails let alone a voucher. Fair play to them I say.

For those who've not received a voucher or email I would say get in contact. Have you tried entering your email into the voucher code though to see if you're eligible?

i've received 2 £30 vouchers, one to my registered email on my account and one to my works email account that i complained with 😀

i'm very happy

Woohoo! £30 voucher for me too. All is forgiven, I'm very easily bribed. Think I'll be using Paypal from now on though.

Have a read..

http://en.wikipedia.org/wiki/Race_(classification_of_humans)

[url= http://en.wikipedia.org/wiki/Romani_people ]Oh look, I can use wikipedia too![/url] They are a [i]distinct ethnic group[/i], which unless you're playing petty semantics to hide your own racist attitudes, would constitute a race for most peoples' purposes of distinguishing racism.

HTH

£30 voucher here too; hadn't contacted them; hadn't posted about it; they know who's been done.