most of these transactions are directly after a CRC purchase, nothing else in between.
I disagree.,
There are several instances where people have claimed that they only purchase they have made on their card has been to CRC. There are others where the time between CRC purchase and fraud has been up to a month. There are some where the fraud has happened very soon, within a day or two of the CRC purchase. But definitely not 'Most'.
This illustrates a wider observation. Through reading so many posts the conclusion seems obvious. It feels like people are experiencing fraud directly after using CRC but if you go back through the thread you will see that our perception is not generally accurate. We are carried away, quite naturally by a group mentality that results in us feeling the conclusion is beyond doubt. If there is going to be a judgement made then it needs to be on the basis of objective observation.
Also, this thread has indeed gone over 500 posts. But there are in fact 260 voices.. That means on average people have contributed twice to this thread. Not all those voices are victims. Take them out and I think we can safely say there are around 200 victims of fraud here. Now that's still a hell of a lot and the more that add to that total the more compelling the circumstantial evidence becomes, but beware of counting posts and then confusing that with victims as you will have just more than doubled the number.
I'm simply asking for as much objectivity as possible. That's how you differentiate a thorough examination of the facts from a witch hunt. The result may well still be the same, but I'd rather claim I was a part of the former than the latter.
Mark, randomly generated would not work for the large fraudulent purchases made through the likes of Tesco, John Lewis, airlines that have been reported. All those retailers would require the CV2 number and the expiry date for the transaction to be accepted.
So to conclude - basically, CRC have f-cked up [b]really[/b] badly.
They have potentially lost HUNDREDS of customers, through this PR catastrophe.
And there's a strong correlation between shopping at CRC within the past month AND fraudulent O2 purchases.
Simple.
I disagree.,
I disagree.. more of them are straight after the CRC purchase this is how these threads(other forums) came about.
This forum dwarfs ours.
http://forums.moneysavingexpert.com/showthread.php?t=1901991&page=21
Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It's a small piece in the puzzle but it's a piece regardless.
Has anyones' debit debit card (used on CRC) been affected?
buzz-lightyear - yes, see above.
I'm going to back off for now though for fear of being strung up... 🙂 I'm as eager to hear from CRC as everyone else and see this whole issue sorted out.
I have stopped on-line purchase using my own card for few years now instead I started using prepaid CC or DC that I bought from WH Smith. It's only for on-line purchase only so I guess I am doomed for the rest of card purchase ... well, cash is king so I use cash as much as possible or cheque or pay direct into bank. I think the next thing I will do is to not go out and start stocking up food ...
The following are the possibilities:
1) CRC breach - malware internally installed or externally hacked.
2) CC or DC processing centre - someone is collecting information the moment a purchase is made through large retailer(s).
3) Other retailers - petrol station, hotel etc when card is used.
4) Somewhere between CRC and CC or DC processing centre (actually same as 1 & 2.
5) You PC is infected due to Pr0n watching ... likely but hackers rather target big players where they can harvest vast amount of data than you that earn peanut for a living. Well earning peanut me.
My guess will be 1, 2 or 4.
Will be interesting to see where the source of the hack is from and so far all the cc is used in UK o2 and Spain ...
😯
My bet's on #1
Just been had.
CRC order 2nd March.
2 x £15 O2 prepay vouchers Slough. 13th March
Natwest didn't pick it up on a debit card.
peed off. CRC Own Up!
Given the way the payment card industry works, I'm pretty sure CRC will have a lot of answering of questions to do and quite possibly some hefty fines (if they want to keep using credit cards). Worst case scenario, you'll see paypal only on CRC if the card industry think they've really messed it up but I'd imagine that'll be quite unlikely.
CRC DO need to issue some sort of press release on this because right now the hearsay suggests the problem is still happening so more customers each day are getting stung.
With regards to the O2 top-up security... you need to know either the[b] house number or numeric digits of the post code[/b] of the card holder.
You wouldn't be able to get hold of these if your card was skimmed at a petrol station (unless they somehow did a check on the car registration and it happened to be the same address).
Now, I haven't used a petrol station at all this year. So either they have randomly guessed my post code and got it right, or they got it when I typed in my payment details at an online retailer.
I wonder if we add our numbers on this site to those many thousand of other victims out there whether the CRC link would still statistically hold up? I don't know. I'm posing a reasonable question.
you are but If I start that thread I doubt very much you will be answering on page 15. This thread would have just died if no on else was affected after CRC use. We may use CRC more than others but I cant see why we are more likely to be the victim of a similar random fraud of auto generation. Why would CRC paypal users be unaffected for example?
Surely if this wasn't CRC related, some other big bike websites would at least get a mention. Evans, Wiggle etc must get at least half the revenue of CRC?
So if I use paypal on CRC it's safe?
Paypal uses a token based system. So they take the money but can't do any further transactions plus CRC never sees your PP login details. So it should be completely safe to use paypal to buy stuff unless there's something shockingly wrong with CRC.
I made a purchase on the 8th March with CRC (only the second time I've used them in 12 months), and 3 days later, I had two O2 PrePay payments against my account.
I only managed to find out about the link with CRC by looking on Google, and finding this thread (along with several others). I've spoken with CRC yesterday, and given them the details of my order, and the details of my Police incident reference.
My bank didn't spot the dodgy transactions, I did when checking my statement.
I wish now I'd chosen the PayPal option like I do 95% of the time when buying stuff online.
I also can't believe how people are still suggesting it's a coincidence. I work in IT have have done all my professional life, and my computer isn't infected with any key loggers, or spyware (plus my purchase with CRC was made when I was at work, and my work laptop is VERY secure).
The same thing happened when Lush had their online store compromised two months back. People were defending them, and saying it was other peoples faults. They were storing card holder details unencrypted in the database (A BIG NO NO!). At least they had the decency to contact all their customers who could possibly have been affected (going back 4 months worth of orders). They also took down their online store (which I know if their main source of turnover, my wife used to work for them).
I have had my card cloned twice in the last month, both 2 days after a purchase from CRC. The first time they tried to make £15 payments to o2, the second time it would seem they bought two season tickets, bus tickets and a flight with Ryanair.
It would seem that their website is compromised.
Another £30 prepay from O2 here. Used Chain Reaction on the 1st March, got done on 9th March, which seems like quite a large gap.
In case it rings a bell for anyone else, I also used the card for the following:
Radiohead album
Amazon digital download
Etsy shop via paypal
Bristol train ticket
Spokeshirts via paypal
Maybe everyone on this thread also brought the Radiohead album... 🙄
I am SO oiked off! So, on the 8th of March I bought a KMS chain and my nationwide debit card was cloned etc. Bank refunded me money so all was good, apart from being without a card for 6 days!
Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I'd have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
[b]
CRC you lying BAST**DS! I will never shop with you again. Enjoy your ear bashing tomorrow morning!!!![/b]
Plus, they email me after I had sent a photo of the sprocket, they are refunding me for the original cassette (£15 lower than the new one) to be honest, it’s the least they can do!
Last week I used CRC for the first time ever. This week someone tried to make a purchase at an Apple store using my card details
My card has been canceled & a new one issued.
Objectively:
I was scammed a few days after a CRC purchase, but with Vodafone as opposed to O2. Do they have the same security / lack of as the O2 automatic guessing scam?
Secondly. I have several credit cards. Some are effectively dead (zero balance, I should get round to cancelling); some are balance trf cards but no purchases being made, and then i have 3 active cards (one Visa, one MC, and one I use only for work). Why is the only one that has been scammed of all these cards the one that was used at CRC.
Being objective this could be coincidence but to paraphrase what I said in my previous post on this subject; Quack Quack.
For how long will respected publishing houses continue to take the CRC pound? Or will they acknowledge the problem and pull all advertising until CRC themselves acknowledge the problem and take appropriate action?
I cancelled my card (as a precaution, not cos it had definitely been compromised) on Monday, new one arrived today. 🙂
Happy with that except that when I phoned the number to get it activated it once again turned into a sales pitch of how I should buy Identity Theft / Fraud Insurance. 👿
Reading the info on o2 that Mark posted it's hard not to conclude they have been very happy to turn a blind eye to fraudulent "test" purchases of airtime for more than 10 years.
How can such a big company get away with this sort of nonsense for so long?
Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I'd have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
It's clear that they don't want take a short term hit on profits but the long term damage could be a lot worse, and I hope it is the way they are behaving. Anyone emailed Watchdog yet? 😀
I realise that Mark is seeking to redress the balance against a mob convened kangaroo court, which is quite understandable.
However, I got scammed nine days after using my card at CRC. I haven't used my card anywhere else in the last four months, nor do I do any online purchases on anything other than a secure PC which is regularly swept for malware and viruses.
I do understand that a web security breach at CRC may not be entirely under their control, especially if they sub out their payment processing. That said, as a customer I will be thinking very carefully before making any purchase from CRC in the future and I'll feel an awful lot more comfortable when the full circumstances of these breaches are in the public domain.
Well - I stood up in the initial few posts on here and said no way it's CRC (probably related to why I no longer work in IT).
As luck would have it I got a new card today (new number, start / exp and c v v). I've no real need for it (or used the old one in months / years). Should I go and buy something from CRC and see what happens?
Just seen this thread, not the biggest forum follower, and last monday 7th bought ticket to marathon race in july on CRC, late next day i get all call from bank about attempted £30 O2 top up. full credit to My bank, Lloydsttsb for alerting me, as usually their a shower of s***. will be much more careful from now on. take care out there.
Well, guess what.
After posting this link round mates and finding out one of them has been scammed, I have just checked my online accounts. And lo, 2 x £15 O2 prepayments have been processed on 15 March.
HOWEVER - this is my DEBIT account, this is absolutely not used for online purchases, my CREDIT card I use at CRC seems ok (last crc purcahse 19 Feb).
In fact all purchases (online and over the counter), of any description, are run through my credit card.
Other than big companies like IPC media, virgin media etc.. for DD;s the only other internet companies that know my debit account details are Paypal and topcashback.
I have never used my debit card to purchase from crc....maybe it is a coincidence and just a massive scam?
Thankyou to the OP though, you made me proactively check and spotted it when it was only £30. (no proactive phone call from lloyds for me though)
[b]Mark[/b] it is a good and honourable thing that you are doing trying to put a different viewpoint here, but it does rather ignore the fact that the Credit Card houses themselves have - according to lots of posts here and elsewhere - recognised that there is a particular problem with CRC at the moment to the extent that they are pro-actively cancelling people's cards, and are able to guess at CRC being involved when people ring up to report scamming?
Given that this is really a bit of a bike news story now - and that you are a journalist writing for a constituency of 470000 unique users a month - what other than an admission by CRC would it take to make you put something about this on your ST home page?
There's no way I'm ordering anything else from CRC until they come out and say what's happening.
road.cc have essentially said that until CRC fess up, they won't be writing about it. Theres nothing on Bikeradar either so it's not just Singletrack. Someone needs to be getting the message out wider that there is a legitimate concern that the CRC credit card payment process has been compromised (by all means tell people to pay with Paypal of course).
I'd threaten to not buy any more from CRC but I've not bought from them since 2007 so I guess I'm not a key customer
Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It's a small piece in the puzzle but it's a piece regardless.
[b]Mark[/b], just because there is a lot of people here with 02 problems does not mean this is the only thing it tells you. I'm actually surprised it seems most people here are noticing the fraud on their own, but I guess that says more about your banks then anything else...
In Finland on the biking forum the CRC thread is not full of people noticing dodgy transactions, it's full of people who have been contacted by their banks notifying them that their cards have been disabled as a security measure because they believe the card info has leaked. I guess this is a difference between how these cases are handled between our countries (in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond).
The only common denominator between these people is that they have purchased from CRC, actually there are several who have not used the credit card for anything else.
I don't think there is really any doubt here.
(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)
The banks customer [b]always[/b] ends up paying somehow - they will factor in these costs into their business model.
Mine done as well. A 98Euro spanish rail ticket was purchased which drew attention to Natwest who promptly stopped my card. Since the CRC order, there's been 1 amazon order, a couple of Sainsbury internet orders & 1 orange mobile top-up and the rest are normal high st / petrol station transactions; so a link can be drawn to CRC. Maybe it is 2+2=5, but a link none the less.
Whilst CC fraud happens all the time from various sources this is looking more and more like a compromise at CRC. If it turns out they've stored CC data in a database unencrypted (a la Lush) I hope the PCI come down on them hard. I've been involved in securing banking and insurance company systems and there are some fundamental things you need to do and stuff like DB encryption is relatively cheap so there's no excuse.
Assuming it wasn't an inside job then the entry point into CRC would be interesting to know as well (but will likely never be revealed). If it was a sophisticated zero day exploit then fair enough no system is 100% safe (that's why you do defence in depth and encryption) but if it used a known exploit down to lax security management then I hope there will be P45's issued.
+1 FuzzyWuzzy
Just got off the blower to CRC after sending them an e mail last Thursday .They are still working on the cause and as soon as they have any news will be contacting people and posting statements on line .
The banks customer always ends up paying somehow - they will factor in these costs into their business model.
It could also be the shop who ends up paying...
CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
So in Janesy's case, after having his first card cloned he was assured that the problems were resolved. Then low and behold the second card he puts through them is also cloned.... So what's the probability of that happening by chance..... 😯 !!
Just had my card hit with £2500 John Lewis bill. I've only used this particular card once in the last year (three weeks ago) and it was buying from Chain Reaction Cycles. Thats not to say that the card details were not harvested before that but...
Got hit this morning for a few small tester transactions. Card company called me - which was good of them.
Credit card order to CRC on 6th March - card only used abroad apart from this transaction (scammed transactions were domestic BTW).
Amusingly, the fraudulent transactions seem to be from a provider of payment services for adult sites.
(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)
As I understand it, any fraud using a credit card or visa/mastercard debit card is paid for by the bank (or charged back to the retailer). We all pay for this protection through high card charges for retailers that are passed on in the price of goods purchased.
Lloyds have told me I need to fill out a fraud form they are sending me, and return to them within 14days or they won't refund me the dodgy transactions.
The missus has checked her cards & accounts and they are fine so pretty sure it isn't a keylogger on our laptop.
It's been reported on theregister this morning:
[url= http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/ ]TheRegister[/url]
Thanks for that link to a news item Farmer John.
Because of what I regard as Chain Reactions tardy response, I've been sitting on my hands forcing myself not to contact responsible agencies / journalists etc. What has stopped me doing it is that I am Northern Irish, which means I apply some 'local bike shop' goodwill to Chain Reaction. Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC's - key loggers etc. Not very likely as I run linux.
Something else is bugging me - why aren't Singletrack running this as a news article? What matters more, informing readers or protecting advertisers?
Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC's - key loggers etc. Not very likely as I run linux.
Not going to go back through the whole thread, but was this actually the case? I thought the dude who said about weaknesses on user PC's was actually the guy who ran the IT company CRC use?
Waderider - Mark's post [url= http://www.singletrackworld.com/forum/topic/is-mtb-journalism-proper-journalism/page/3#post-2385072 ]here[/url] explains why they've not put it on the front page yet.
Thanks WackoAK - I don't think that is a reason for not having a story. Regarding the director stating the problem with users PC's, it is something I have read on several places on the net. So yes, it could be rumour and lies.
We have asked CRC for another update. As soon as we have something new to report we will.
just been on the phone to my bank (nationwide) and they are stopping all cards that have had transactions with chain reaction cycles in the last 10-14 days, compromised or not.
They are also being investigated by the bank, so I have been informed.
[quote=Jamie]Not going to go back through the whole thread, but was this actually the case? I thought the dude who said about weaknesses on user PC's was actually the guy who ran the IT company CRC use?
The poster was claiming (not directly... but their name + location indicated so) to be the MD of the company "Export Technologies", who provide the e-commerce platform.
CRC carefully worded a response to STW, neither denying nor confirming the above to be true.
Hi Folks
Just want to give you an update as you may have missed our earlier statements.
[b]What do we know?[/b]
We know that some of our customers have experienced credit card fraud after placing an order with CRC.
[b]When did we find out?[/b]
Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.
[b]How big is the problem?[/b]
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer's security extremely seriously we are taking all the steps we can to understand what has happened.
[b]What steps have we taken?[/b]
CRC have employed one of the UKs leading internet security companies to carry out immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.
[b]Card Re-issues[/b]
Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.
[b]When will CRC have more information?[/b]
We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.
[b]Can you order safely?[/b]
So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.
[b]Please contact us directly[/b]
We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.
Thanks again for your patience and support
Michael Cowan
CRC Senior Management
crccustomersupport, my bank has told me they have blocked all transactions with CRC so I couldn't order again even IF i had 100% trust in you!
Thanks for the update.
So far the investigation has uncovered no evidence of any breach
do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?
It's noticeable that CRC still don't say whether they have themselves reported the significant volume of fraud to the Police.
Oooh, made it onto the Register!
[url= http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/ ]here[/url] How exciting!
email sent
lets see what they come up with
there's absolutely no reason to assume that this is purely an IT related issue......
equates to under 0.1% of on-line orders
Somehow I don't believe you.
If it's high enough to make the banks aware of it, I would put that figure FAR higher. Unless you process something like 100 million transactions year...
Remember to encrypt the credit card database next time, alright? 😉
nicko74:
Oooh, made it onto the Register!
here How exciting!
Look [url= http://www.singletrackworld.com/forum/topic/crc-security-issues/page/16#post-2385480 ]up[/url] dude.
Very brave of CRC to come on here and comment. Well done.
However, two things;
1 - As mentioned above,
do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?
and 2 - I still find it astonishing that an issue affecting so many mountain bikers/cyclists has not been reported officially by a mountain biker/cyclist focused website which [i]" delivers a daily dose of mtb news and opinion"[/i]. This is both news and opinion and has been running for some time now.
While I appreciate that Mark is trying to [s]protect the ad revenue[/s]wait until all the facts are in etc, that's not really how "news" works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW.
While I appreciate that Mark is trying to protect the ad revenuewait until all the facts are in etc, that's not really how "news" works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW
Marks comment on 'publishing' the news story of CRC
http://www.singletrackworld.com/forum/topic/is-mtb-journalism-proper-journalism/page/3#post-2385072
Yes, I too had my card compromised after making a couple of purchases from CRC in late February. Halifax Financial Services were on the ball and called me. Card was cancelled and a new one issued, which took about 5 days. No direct evidence of a link with CRC but in the light of the foregoing, it is suggestive.
hopefully everyone who has had this problem will actually tell crc about it.
their 0.1% figure may be based on direct contact, not us lot bitching on here.
their 0.1% figure may be based on direct contact, not us lot bitching on here
Good point.
their 0.1% figure may be based on direct contact, not us lot bitching on here.
they said up there ^^^ [i]So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly [b]and via forums[/b] equates to under 0.1%[/i]
I'm sure I read somewhere that they despatch around 6000 orders per day, so over - say - a 10 day period that would be 60 complaints
well spotted, i doubt they have trawled through all the forums though
to be honest i'd like them to take the HUGE PR hit and send out an email to all account holders. not everyone reads the forums or checks the cc bills regularly.
I've just got an email from CRC, with the same content as the post above. Looks like you got your request mrmichaelwright 🙂
Amazing that a site such as El Reg reports it before STW.
Not amazing at all. Reporting on CC fraud is one of the things they tend to report on, along with compromised websites, unencryted SQL DBs left lying around on webservers, disgruntled webmonkeys walking out with files or refusing to handover root/admin passwords etc.
If anything, I was amazed they hadn't reported sooner.
to be honest i'd like them to take the HUGE PR bonus and send out an email to me offering a 100% discount for life
worth a try....... 😀
I hadn't bothered to directly contact them as my bank dealt with it pretty efficiently, but now I have.
CRC should put a note on their front page with their various statements and some advice on what to look out for / who to contact - it's pretty shoddy of them to be posting on message boards but not on their own website.
Report is a bit strong, they basically said 2 sites forum members reckon there's somthing dodgy going down. Hardly l33t investigative journalism.Amazing that a site such as El Reg reports it before STW.
they have, got mine 15mins ago.to be honest i'd like them to take the HUGE PR hit and send out an email to all account holders.
so it seems
not had mine yet though
Just got the email from CRC too. Glad to have some confirmation that they're looking into it.
I don't think they would actually lie about the 0.1% becuase if investigated they would end up in quite a bit of legal sh*t. I'm going to take their advice and pay via pay pal on future transactions until they come out with a statement saying that security issues, if any, have been resolved.
I was on the phone to them for 20minutes on a big rant. still doesnt help! i'll be getting my shiny parts from somewhere else in future.