That's overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( 😯 ) then it's fine.
Cheers Chewkw.
Worth the extra £10 IMO to save potential hassle & be safe so Wiggle wins the day.
[geek mode]
Also CRC might even be blacklisted by bank due to their weak on-line security.
There are a set of standards that retailers have to comply with otherwise the banks refuse card transactions from them. These standards are refered to as PCI (Payment card industry) Security Standards. Retailers have to appoint an Accreditor who [s]makes a lot of money[/s] reviews the retailers security and passes them as compliant. Compliance requirements include things like password protection and renewal, card detail encryption at point of entry, security of physical IT networks etc etc. Its a moving feast that changes all the time in response to flaw exploitation by criminals.
The best one I heard was the gang that installed radio transmitters in several hundred card readers in the factories in china. Only discovered by chance in the shops after they had been installed.
If their system isn't accredited by the banks for security then the banks would refuse card transactions from them to the banks so they would not be able to take card payment from customers at all. Its the bank that takes the hit on any fraud.
p/s: I remember asking several on-line retailers how they store the CC information
Probably a retailers most guarded secret, no retailer will disclose that due to the security risk.
[end geek mode]
I do feel for CRCs customers and think CRC should come clean about this, rather than turn a serious security breech into a PR & commercial disastor (they are a top 100 retailer after all).
clubber - Member
That's overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( ) then it's fine.
Agreed.
I'll caveat my post by saying that you should make sure your pp passwords isn't the same as Crc or any other site for that matter.
clubber - MemberThat's overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( ) then it's fine.
Yes, it's overkilled which is a slight hassle but then it's only changing p/w and you can always change your p/w back again at a later date considering all the CC breached.
But there's no point or reason to do it as it's irrelevant. I could just as reasonably suggest you sacrifice a chicken.
Though I'll point out again that if you use the same email/pw for pp as you do for everything else you're asking for trouble anyway.
Hmmm I was surprised at the number of people who reported problems with other Internet sites after STW was hacked due to having the same password!
EDIT: 3 purchases here from CRC using paypal and no problems, but have changed password just to be safe!
Why would you change your paypal password? That's completely pointless in this case.
bigjim - MemberWhy would you change your paypal password? That's completely pointless in this case.
Just a precaution that's all but if you are confident that it will not affect your Paypal then don't change anything. We just don't know how advance some trojna can be nowadays.
Guess what, yes I have just had the phone call last night from HSBC, my card details have been scamed. My last transaction was with CRC 2 weeks ago. O2 vouchers £30 worth was tried but HSBC blocked the transaction as they said that my card number was on a list of many, they seem to know which card numbers have been scamed.
Paypal from now on.
[b]Chewkh[/b] you just haven't read this thread at all... have you... 🙄
No issues at all with people paying by paypal which is also the payment window for many many outlets including ebay. This is specific to CC payments to CRC. Credit Cards companies implying that it is CRC themselves who have been compromised. Very clear that this is not a trojan or a key logger on customer side. Could be a problem with hacking of the third party who provides CRCs payments system, or an inside job.
Why would you suggest something like that ❓
Do you guys have nothing better to do than argue on the net? It would be nice if the size of this thread was in proportion to the size of the issue, rather than in proportion to the amount of guff you want to spout.
World's largest online Bike Store has dozens and perhaps hundreds of scam transactions... not exactly fast to respond or fess up...and does not mention anything about it on their home page...
[b]waderider[/b] how big an issue does this have to be... on a bike forum... ?
The way CRC are handling it is almost a case study in how to not manage a problem. They are really at risk of permanently damaging their credibility and customer relationships unless they:
1. Formally acknowledge the problem
2. Tell us how big the problem is
3. Tell us what steps they have taken so far to mitigate the impact on customers who have had card data misused
4. Tell us whether the police are involved yet (if they are allowed to confirm this)
5. Tell us who is accountable for resolving the current issue and putting things right and how any improvements to site security will be communicated to customers.
Until they do these things, I suspect that many long standing customers will vote with their wallets and shop elsewhere.
The other question that arises out of this debacle is the role o2 seem to be playing in enabling compromised card data to be used for the purchase of airtime.
Presumably it's fairly straightforward for o2 to determine the channel through which the airtime is being purchased, and the phone numbers that it's subsequently used on (as well as where these phones actually are).
o2's systems seems to allow (by accident or design) large numbers of credit card numbers to be used to purchase airtime that is presumably used on a small number of phones that in turn are used in static places for low cost call operations. Surely it can't be that difficult for o2 to stop their own systems being used to monetise the proceeds of fraud?
John,
you are so right. I emailed CRC many days ago, per their post on this thread. I have heard nothing back.
So... I have just ordered 2 new tyres from those nice chaps in Portsmouth. I paid a tad more, but security's worth a few pennies.
do you think it is a small number of people who are purchasing things with everyones CC's or do you think it would be a large scale operation?
I would have though there is the ability to trace all of these in this day and age of modern whiz bang technology?
A few members of another forum (Swedish, so I guess no point in linking) have reported problems using Paypal too. There were attempts to use their accounts at other online retailers after purchasing from CRC. Don't know how much truth there is to it though, just that I won't be touching CRC for quite some time.
My card got scammed about a month ago (those small fishing transactions, luckily Nationwide picked up on it). Reading this thread i'm thinking it must have been due to CRC - i barely use my card anywhere else online. Absolute swines. I won't be shopping there again.
Warpcow - the way you pay with pp means you never actually show your pw to the retailer. You enter your pp pw into paypal itself even if you've got there via a shop. For pp to be compromised via crc it'd have to be a completely different method of fraud.
I understood that (it's my preferred method of payment in other stores), but figured it might be worth noting even if it seems unlikely. I guess it might be users having the same password for their CRC and paypal accounts.
Bought at CRC with my debit card on the 8th; had a £20 O2 prepay voucher purchased on my card this morning.
Yep but again, you really are asking for it if you do that...
Is that directed at me?
Aimed at my comment I think 😉
The "Delete Previously used Debit / Credit Cards" on CRC has gone.
If I log on I cannot find it - maybe it's me, but last time I looked I found a message that "no card info is currently held". So something is being done their end.
Out of 6 riders today - one had been hit, he had no idea of the link. Bank phoned up and said his card was one of many they were cancelling as a precaution.
Yes, aimed at warpcow 🙂
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning, fortunately it was declined. They even went to the extend of changing the password on the RBS Secure (an extra level of security for online purchases). I was only notified by an e-mail thanking me for changing my password. There will be several phone calls to several customer service departments demanding to know what the hell is going on.
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning
It was Chain Reaction Cycles that was the source of the attempted charge?
That's exactly what happened to me,only with TSB's Clicksafe system. To be fair , my money was paid back within 3 hours of contacting their fraud dept.
The way CRC are handling it is almost a case study in how to not manage a problem.
well I'm impressed that they haven't taken the Wiggle approach (we remember that one?) where all posts talking about the problem were removed with the threat of legal action (although I'll not be too surprised if this thread doesn't go missing at some point soon)
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning,
Sorry I worded that badly, I should of said
"I ordered online with CRC last Sunday, this morning some scammer tried to hit my card for £699"
I had started to calm down after this morning, but having been made aware of this thread and then reading it, I am now fuming again.
Tim
Especially as it appears they must sponsor STW a fair bit with the ammount of ads currently on here.
Still cant undertand why they havent made an official announcement, I would hope they do tomorrow with it being Monday and a working day, its not even that they dont know this post exists!
Plus think how many use CRC who dont even use STW and are getting card swiped.
I wonder why the scammers think they could get away for using others CC, surely whatever they pay for needs to be delivered to an address and that should be a dead give away location ... 🙄 The rest just leave it to the police but yes the cost of arresting is expensive.
🙄
Just got the same issue.
Bought something from CRC a week ago. Tried ro pay by Paypal but there was an error inthe transaction between CRC anPaypal so paid on debit card. Just checked account today and got a £30 O2 Prepay debit on my account:-(
chewkw,i know a bike shop owner that got robbed of a 3k bike.the courier delivered it,signed for (with a scribble) and that was the end of it.Someone got a bike for free after calling up their bank and telling them that someone had just bought a mountain bike using their card.. then got it refunded.
you could easily sit outside someones busy street address in a car and pop out when you see a delivery driver.you could sit there all morning waiting for an expensive bike and pretend to be the occupant.
[img] 
[/img]
🙄Buy online securely with confidence on this site
surely whatever they pay for needs to be delivered to an address and that should be a dead give away location
It seems to be mostly mobile telephone prepay vouchers that are being purchased. For all intents and purposes, they are untraceable.
Before the pitchforks come out, it's worth noting that the O2 Prepay fraud goes way, way beyond a bunch of riders who think they've found the common denominator. A web search ([url= http://www.google.co.uk/search?q=o2+prepay+fraud&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a ]link[/url]) brings up incidents going back over the last few years. O2 even recognise the issue as far back as 2008 ([url= http://forum.o2.co.uk/viewtopic.php?p=68319 ]link[/url]). One post I found on moneysavingexpert.com makes this point:
So many people are so quick to accuse companies, banks, or websites, for allowing their card details to be passed to fraudsters.This is, in general, not the way it works. Large sites (e.g. Paypal) do their own payment processing, and smaller sites subcontract this out to someone like Worldpay. All these organisations have to be so very careful with our card details, as the amount of fines and worldwide reputational damage would be crippling to their business. I do not believe that these companies have anything to do with these fraud cases.
All these cases of PAYG mobile top-up fraud happen online. That indicates that a 'clone' of the card doesn't exist. So the fraud probably doesn't originate from an ATM, because a device on the ATM, along with 'shoulder-surfing', would enable the fraudster to create a clone, and this, along with your PIN, could be used for ATM withdrawals.
Instead, all that they have is your 16 digit card number, your three digit security code, and your expiry date. With a powerful enough computer, they can just create millions of different possibilities. Each of these is used for a small 'authorisation' transaction, typically for about 1p. (This normally doesn't show up on your statement, but you may notice your available balance decrease by this amount for a few days where one of these has occured.) After they get a successful one, they'll put through a 'real' transaction, for a low value. This is where you see the mobile top-up or cinema ticket.
There is nothing that we can do to stop this at the present time (without advances in technology), apart from being vigilant ourselves (so that we notice the transactions quickly and can stop our cards) and hoping that the banks do the same (e.g. Halifax phoned me to warn me as soon as my card number was used fraudulently; I think Egg do the same). And don't try to shift the blame onto random websites/ATMs that you've used recently, chances are, they don't deserve it. (Although there will always be the odd exception, I appreciate that!)
There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it's what all of the victims on STW have in common; and it's human nature to try and observe a pattern or common thread.
IN which case there would be a similar proportion of non-CRC users also being hit. But I'm not aware anyone has yet posted along those line?Three_Fish - Member
There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it's what all of the victims on STW have in common
IN which case there would be a similar proportion of non-CRC users also being hit. But I'm not aware anyone has yet posted along those line?
We aren't exactly dealing with scientifically collected sample data, though; are we? The point is that this problem has been around for years and there is no particularly compelling evidence to suggest that CRC are in any way responsible or negligent. I'm not saying for a minute that what is being discussed in this thread is definitely [u]not[/u] an example of a particular company's (CRC) security weakness; but it could be just as likely that they are completely unconnected.
Perhaps we'll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.
It's at least a week since this was reported. Why would another day make a difference?Three_Fish - Member
Perhaps we'll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.
It's at least a week since this was reported. Why would another day make a difference?
I don't know - maybe they didn't think that it would reach the intensity that it has in the last few days. That, however, and like pretty much all of this thread, is nothing more than conjecture.
So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don't count for anything then?
You did read all 11 pages before commenting I presume?
Same problems here.
28/02/11 Ordered from CRC, paid by card.
01/03/11 Items dispatched.
02/03/11 Items arrived.
03/03/11 Card charged by CRC.
07/03/11 Card fraudulently charged with 2*£15 O2 Prepay.
08/03/11 Checked online bank statement, noticed discrepancy, notified bank (Barclays), had card stopped and amount refunded immediately.
10/03/11 Received new card.
Ordered on personal PC running Linux, using Chrome browser.
I wasn't aware of the potential CRC link until Mr Fluffykittens told me about this thread a few days ago.
All a bit of a pita, and what's worse is that it was new shoes that I'd ordered and I've been too ill to use them 🙁
meh.
Fair enough about the recent comments on here from CRC, to me it does seem that CRC are waiting for people to notice a problem and then happen upon an internet forum to realise the cause rather than proactivly contacting customers to say there might be a problem.
It wouldn't surprise me if there are quite a few CRC customers who have been hit, but dont realise as they have no way of knowing, and who dont frequent the forums to find out. Surprising as it might seem 😀
It pretty clear that they have lost card data at point of receipt prior to encryption as it goes through their e-commerce system. Either through internal or external fraud. They MUST also by now have an idea of the data range of which customers are affected.
How difficult is it for them to punt out an email to all recent customers saying "sorry guys there has been a problem". Its not like they have a problem emailing customers is it?
Whether its a weekend is irrelevant IMO as they have een taking money of people all weekend. For a company their size its poor treatment of their customers and I guess a commercial disaster. Three fish has it about right what they should be doing.
So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don't count for anything then?
Of course they're investigating, and it's obvious that they'll also be considering the [b]possibility[/b] that the problem is directly related to them.
How difficult is it for them to punt out an email to all recent customers saying "sorry guys there has been a problem".
It could be extremely difficult, I'd imagine, from both a legal and commercial point of view. Nobody here actually knows the percentage of CRC's customers that have been affected, so if it is, for example, two to three percent, it would be foolish of them to contact all of their (potential) customers and tell them that their system is not, or may not, be secure. If what they have now is a commercial disaster, an admission of responsibility could be many, many times worse. I'm not sure how a public admission, or even suggestion, from them would affect their position in terms of liability.
i read about this on the website road cc forum.
i cant see it anywhere else, bikebiz or cycling news?
http://road.cc/content/forum/32203-chain-reaction-cycles-credit-card-fraud
Just been on to the bank - £1200 to johnlewis and another £600 to an online site from yesterday. My last order to CRC was on June last year so unsure if it's related or not. The guy I spoke to did say "there has been a lot of suspicious activity recently".
Ordered on CRC last week, got a phone call from the bank yesterday saying that a payment of £15 for an O2 top up had been declined.
Card cancelled.
Ordering from CRC in the future definately cancelled
From reading in a Finnish biking forum I find it hardly unlikely that this would not be directly related to CRC. There is a load of Finnish customers who have not used their card for any other online services then CRC, and they have been contacted by their banks within the last few days regarding closing the card for security reasons.
Actually, dispite all this I will still be using CRC (just have today).
I use Paypal and I dont see any online shop being more or less safer than CRC is. Didnt Wiggle have an issue some time ago ?
They may never find out what happend or how, but in the meantime the CC purchases that were illegal have / will have been refunded. So hopefully people will only have lost some time and not money.
I phoned Barclaycard earlier to cancel my card, they asked why so I told them about CRC etc and immediately the bloke in Bombay starts trying to sell me Identity Theft / Fraud Insurance, a bargain at £80/year! 😯
I told him I'd just like to cancel my card, get a new one. Had to sit through another few minutes of sales spiel, then I finally interrupted and asked him if he'd cancelled my card. "Oh, why do you want to do that?"
AARRRRRGGGHHHH!
It'd be simpler just to let the bloody fraudsters have it!
Seems to be sorted now and apparently my new card is in the post. No doubt with a whole load of sales crap attached to it.
I hate Barclaycard - haven't used them for 10 years !
Just been stung myself, on a card I've not used for anything for a while... Bank asked "Can you think of any way that someone could have got hold of the card details?" so I said "Well, there's a rumour going round about one of the online bike shops". "Yup, that'll be it, I'll pass your details on to the team dealing with the Chain Reaction issue" who then said "Have you got any other cards that you've used with Chain Reaction? OK, we'll cancel them too". So CRC might not consider it proven but the professionals seem to.
For those of you that have been in touch with CRC, did you get any response? I emailed but have heard nothing back. Almost a week without any credit or debit cards, a real pita having to trek to the bank any time i need money. 😡
Just spotted this thread, I got done too. Ordered stuff from CRC on 2nd March, and card was used twice last week fraudulently at John Lewis and Stagecoach. Luckily the CC company were on the ball and alerted me straight away and stopped the card.
Quite worrying though, and seeing as this seems to be a known issue which has affected a lot of people I find the lack of contact/notification from CRC extremely disturbing. I won't be using them again any time soon.
New chain ordered through chain reaction in January few days later card was cancelled due to someone trying to top up there phone card with my details.
Last week Helly Hansen base ordered through chain reaction, yesterday my new card was cancelled again.
I run windows 7 with chrome and mcafee.
No response from CRC either... Bit of a pee take!
Barstewards just got me - order placed last night, fraud dept call this afternoon. Vodafone top ups and £350 of online menswear.
This is clearly more than a coincidence - CRC need to do something to sort this out.
Took a call today from "Al" of CRC to VM at about midday, then again at about 13:30. Friendly and helpful. Advised that CRC is using an independent company to investigate. Didn't admit to it being a CRC problem (from a legal prejudice point of view, I understand this). Has offered to keep me informed and flagged my account accordingly. Advised that they strongly believe, there have been no hacks involving Paypal transactions (did not guarantee, but see my above comment ref legal prejudice and all that). He mentioned that some postings on forums (fora?) allude to compromised Paypal transactions but that those they have been able to investigate have been erroneous. (Que to post for anyone who knows different...)
Apologies were offered for the problem and the delayed response.
Finally, he mentioned that staff were tasked to get in touch from Friday and they are working through the backlog.
All in all a very satisfactory call. My faith is now partially restored. Full restoration is on hold pending the ultimate explanations received and action taken.
Let's not forget that if this is a CRC issue (which seems likely, but is not proven), then CRC is a victim of crime as much as we are. Let's not punish them for that. If their response proves to be inadequate though: now that is a different matter. Time for CRC to step up to the mark, I think...
PayPal uses unique one-time tokens for a transaction.
No token can be re-used again, to authorise a payment. Can only be used in regards to refunds of the transaction.
At no time does CRC ever know the CC details on the PayPal account.
When you type in your CC direct to CRC.... thats another matter.
Rats!
I got hit too, thankfully I finally decided to read this post and check my account.
They got me too.
Ordered something from CRC for the first time in at least a year and a couple of days later my card was declined due to fraud. After talking to the bank there were 3 attempted transactions that weren't mine; a garden centre, a hardware store and something else.
I had to buy something on CRC today even though my card details were stolen a few days ago. CRC assured me that the problem was over and no one has had any problems since the 8th.
Is this true? Very helpful on the phone by the way.
Its a shame about there piss poor returns dept. XT 10speed cassette need to be sent back for a week / 2 and it 'might' be replaced. Unfortunately I have a race in the weekend so have had to buy a new one. 🙁
I emailed CRC on Saturday and I received a phone call from them today. Very understanding and helpful, they assured me that they are investigating. Also offered to keep me informed and flagged my account.
Crikey ... 😯
I've had two cards compromised in the last week, both of which have been used for CRC in the space of the last month. I can think of other common purchasers for both, but in light of the length of this thread I thought I'd add my twopenny worth.
Jansey look at ilkelypeter's post ordered last night done today, I'd say the problems ongoing.
Shock horror, my wife (none cyclist) has reminded me of the time her account was compromised after shopping in TK Maxx. Dam that CRC.
Had the same at the weekend, phone call from the bank to say over £1000 had been spent at John Lewis and they tried to take another £450 but the bank stopped that one. Card now cancelled and waiting for a refund, had ordered from crc last week, definatly using paypal from now on
I phoned them up today to advise them my card has been cancelled as I have stuff on back order and returned, I got put through to a women called Linda and asked her what the situation is, I got the same response as Mudglutten got, they are aware of the problem, they have an independent security company investigating the problem and they will be contacting customers. They are aware of the posts on this forums and other forums.
There are a set of standards that retailers have to comply with otherwise the banks refuse card transactions from them. These standards are refered to as PCI (Payment card industry) Security Standards. Retailers have to appoint an Accreditor who makes a lot of money reviews the retailers security and passes them as compliant
Depends on the volume of business. You can effectively self-certify up to a level of transactions and wouldn't need to get outside people in to audit that you haven't got unencrypted card details stored. Of course, all you need is a developer who turns on some sort of debug logging and hey-presto, they can skim everything from the system. Not saying that happened here, but it has elsewhere.
xiphon - Member
PayPal uses unique one-time tokens for a transaction
Mostly true. There are ways to do repeat billing transactions with PP but they'd show up as CRC doing another transaction so it wouldn't be a random punter (even assuming PP cleared CRC for reference transactions). So yeah, another person who deals with payment systems 😉
Luckily the last time I bought from CRC was 2007.
Got home today to a letter from Egg telling me my existing card was being canceled as of tomorrow. I have bought recently from CRC but last time was via Paypal. Seems they are being ultra-careful, but I am annoyed that I am now put in the position of having other orders for stuff put at risk through as my card won't work.
This has happened to me today, HSBC phoned me advising that £20 has been used to top up a phone.
Used CRC last week so ties in with CRC's securitys issues.
brother in law ordered new rim last week, got call yesterday to be told £650 had go from his account etc etc , glad I told him about this thread on saturday!!
I started the thread "No CRC Security issues" asking everyone who had used CRC recently but had had no fraud on their card to post.
I have now had some fraud on my card.
3 March Card charged by CRC
14 March £1 fraudulent payment to britishredcross - approved
14 March £134.95 fraudulent payment to Carphone Warehouse - attempted twice and declined.
Have used the card for 4 other online payments in the last month as well as for supermarkets, fuel stations, car insurance renewal and Halfords.
been checking my account since this broke and looks like 2 transactions for £15 have been taken. will speak tpo bank tomorrow.
Two questions -
How did the bank know the attempted Carphone Warehouse transaction was fraudulent?
How do the fraudsters use the credit card details? Do they have to make a fake card? Is there enough information from just the details you fill in online to do this?
As others have said remember that CRC are the biggest vicitms here - they must be losing significant sales, and it may not be their fault at all.
They got me too! Ordered a number of things from CRC last week and and recieved a call from the bank at the weekend.
Who ever is doing this is never going to run out of credit on their T-mobile account!!
I think an email to CRC is in order.
How did the bank know the attempted Carphone Warehouse transaction was fraudulent?
They get picked up by systems looking for certain types of behaviour i.e. small initial 'tester' payments followed by substantial ones not to the card holders address