If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.
If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.
Oh thank god. I was worried it was serious for a minute 8)
... equates to under 0.1% of on-line orders placed ...
Quick someone please start another on-line bike retail store as the market is big enough ...
Astonishing if there is no breach at CRC but yet so many are affected so this I want see.
Got ripped by the fraud , bank refunded , new card etc
Bottom line , started using LBS more
Actually not as bad as I thought
Net result = CRC loose another customer
and this makes it ok does it?... equates to under 0.1% of on-line orders placed ...
If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.
..and if you apply the "only 4% actually post" metric then that is a LOT of fraud
DavidB, 3950???
And that is only on STW
and add in all the other forums.....
No, you can't apply the "only 4% post" rule in this case as a loss or fraud is an incentive to post. It's liable to be many more %, but who can say how much? Only CRC. There are likely to be thousand of incidents, I guess.
To give CRC a fair whack, they have responded on the forum, they are working with a security company - and it's hurting them very much indeed I guess.
[i]and add in all the other forums..... [/i]
except that people will quite likely post on more than one forum, may not use the same user-name for each one so you end up double counting.
It's always the complainants who shout loudest so 99% of the people who have bought off CRC with no trouble at all are probably
a) not aware of any issues
b) even if they are aware they probably don't care cos they're OK
c) people liike me who did buy off CRC, had no issues but cancelled my card anyway as a precautionary measure. Better safe than sorry! 😉
I'm not saying there isn't a problem, I believe (from reading this forum alone) that the relationship between shopping at CRC and subsequent fraud is too high to be coincidence but, as yet, there isn't a reportable story on it and as Mark stated, this forum gets far more views than the front page news.
If there's one thing that's going to get lurkers coming forward and posting it's being ripped off by a fraudster. There are many victims who have posted on this thread for who this was their first post.. If you were a lurker who had bee ripped off, would you keep quiet after reading this thread? There's even a clear example on here of someone from France registering a new account just to add their case to the total. So the 4% rule doesn't count.
I think it's clear there are hundreds of cases. Which is an awful lot and quite clearly a total that requires a thorough investigation coupled with a public explanation once that investigation is complete, which from our contact with CRC is exactly what they are doing right now.
except that people will quite likely post on more than one forum, may not use the same user-name for each one so you end up double counting.
Sure there will be a bit of double posting but not all that much as people arn't gonna sign up to other forum just because of this and forum users tend to be loyal to the one that interests them most, there will be exceptions but not many.
Let me first note that I don't - yet - assign positive blame on CRC. There is CRC, there is, presumably, some company which carries out payments for them and there is cyber-space in between; the culprit can lie in any of these.
Having said that, 0.1% doesn't seem too plausible now, does it? They refer to a ~40 days period and we can safely (?) assume there are circa 1,000 cases reported here and there so far (am I exaggerating?). Then the 0.1% implies CRC has taken something like 1,000,000 orders in that period of time. That's like 25,000 orders per day. Does anyone buy this figure? Is there an error in my math?
On the other hand, even if the 0.1% is a truthful figure, it does not necessarily correspond to the actual number of compromised CCs. It may very well be that the fraudsters are on finite resources, a fact which may have prevented them to sting more cards in such a short period of time.
CRC are never going to be honest about the problem
"They have found no evidence so far" - Unlikely
I had attempted fraud happen on both my cards used - one original, one the replacement for the original, im on my third card now and avoiding crc, tks
Is there an error in my math?
Well, there is one in your English! 😉 Mathematics, not mathematic. HTH.
😉
Another here.
Have a John Lewis Credit card..
they called quite fast after an itunes US transaction.
Odd.
Anyway.. long story short.. last purchase was a set of forks at you've guessed it..
Bit of a pain being without a card.
I don't think anyone knows how many orders they take a day, but you could make a decent guess with a few assumptions.
2009 turnover was £77m. Assume a low average order value of £50 gives 4300 orders a day, a high average order value of £400 gives 500 orders a day.
No idea what actual average order value is, but less assume its somewhere between the above. That means they take 500 to 4300 orders a day.
Let's assume the period they are talking about (Feb and early March) is 40 days, that means during that period they've taken somewhere between 20,000 and 172,000 orders.
Using their quoted 0.1% of orders affected means that they've had reports of between 20 and 170 cases of fraud.
Clearly there's more cases reported here than the lower estimate above but it gives you an idea of the orders of magnitude.
Anyone with better idea of average order value could do better.
.
Well, there is one in your English! Mathematics, not mathematic. HTH.
Cut me some slack; I'm Greek and my English is actually American. Which makes "math" - instead of "maths" - right. Bah, I should have used "calculations"... 🙂
???????, ???? ??????!
🙂
[i]2009 turnover was £77m[/i]
but that probably includes Hotlines and all the brands they own that sell to LBS's etc?
I did think that perhaps - not sure how it is structured - I don't think CRC is a group company? Not sure. Hotlines although owned by same people is separate company?
If you assume it does though then number of orders is obviously lower which makes their 0.1% claim look spurious.
CRC turned over £77 million in 2009. This is information in the public domain.
I have no idea how accurate the following is so it's totally open to debate but we can play with some of the numbers and use them to narrow down to the unknowns. Then we can play plug in made up numbers and see if the answers meet our expectations.
Around £6 million a month in orders
Average order value say £25... or £50... or £100 ? Lets take these 3 and see what happens.
6 million/£25 = 240,000 orders a month.
@ £50 = 120,000 orders
@ £100 = 60,000 orders
0.1% of 240,000 = 240
0.1% of 120,000 = 120
0.1 % of 60,000 = 60
We have on this site 158 complaints. That sits between average order values of £25 - £50 but we can't assume that those 158 are all the complaints. There will undoubtedly be more.
The largest unknown is the average CRC order. I could be all over the place with my guess. Maybe a straw poll of readers last purchase values will help us narrow that down to a more accurate figure. Anyway, I think the method is sound if not all the figures within it. The other unknown is how representative our 158 complaints are of the total complaints. These two figures are open to debate and supposition.
err did you just copy my maths?!
This seems to suggest around 30,000 orders/month
Another lurker stepping forward here.
CRC order placed in the relevant period, followed by call from credit card fraud dept last week - dodgy activity on card, card blocked and now reissued.
Ah.. I posted that and it seems the same sort of calculation has been done already. Good to see we are on the same general lines though. Did CRC own Hotlines in 2009? 2009 accounts will also refer to the period that ended in 2009 so depending on when the end of year is it could include most of 2008.
Mark what I still don't understand is how CRC (who say they still don't know what the problem is how the information was stolen) can be confident of quoting any percentage of total order value/numbers of orders as being affected?
If they can be certain that only 0.1% are affected then they must have a very clear idea how the information was obtained and what percentage of their orders left the channel used for CC traffic open to abuse?
If they're just going by numbers of reported incidents to them then they're relying on people tellign them? I wouldn't - I know they know they have a problem.
@uplink - that article says 30000/week not month?!
yeah sorry my typo
It bears out my other post though of 6000/day
@mark - was just joking.
Taking a look at the accounts they actually quote the number of orders and average order value (kindly).
Orders: 1042878
Ave Value: £72.43
So thats 114,000 orders in 40 days. And 0.1% of that is 114.
Of course that data is a couple of years old now, and they've grown considerably since.
What this is doing, of course, is ensuring that there's not a cat in hell's chance that I'll buy anything from CRC in the forseeable future.
I suspect I'm far from alone........
there's not a cat in hell's chance that I'll buy anything from CRC in the forseeable future.
If the price & stock is right I'll still buy - I did yesterday [via Paypal]
What this is doing, of course, is ensuring that there's not a cat in hell's chance that I'll buy anything from CRC in the forseeable future.I suspect I'm far from alone........
I suspect that this will also, hopefully, drive a few more people back to their LBS.
wwwas,
The CRC statement says the 0.1% figure comes from reported case AND those reported on forums. Now it's true that there is probably an unknown quantity of victims out there who have neither reported directly to CRC or on a forum - this is another unknown value in the big equation. Slowly we are gathering enough data to plug in numbers to these variables though and as we do a fuller and more accurate picture is emerging of the scale of the problem.
So far, the numbers we have played with are at the very least in the same general area that makes CRC's claim of 0.1% not an unrealistic claim. 'Hundreds of victims' is still a lot and needs investigating, even if there are by our own collective calculations hundreds of thousands of order a month.
nickf: But wiggle are still going and there was a similar scare with them a while back.
There are a couple of ways I can think of that CRC's customers have been defrauded without any evidence of tampering on their servers.
One is that CC details (if they store them, even briefly) have been accessed by someone with the legitimate rights to do so, copied to a USB stick and either sold or used by the person who stole them.
The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC. When they click on the link, they would be connected to a site owned by the attackers, which logs the information entered and passes the request on to the real CRC site. The results of searches and the final order details would come from CRC, but be passed back via the fraudulent site. The shopper would never know that they're not dealing with CRC.
I've seen one post from a person who was defrauded but uses Linux but it may be that his attack was coincidental. If it was, MTBers could have been targeted (from a race event emailing list?) and key loggers installed when they clicked on a link.
In all cases, nothing would show up on CRC's systems and thus their statement that there is no evidence of a breach would be correct.
This is not a defence of them or their systems but an attempt to indicate that these things are sometimes very difficult or impossible to trace after the attack has ended. But if the breach is found to be on thir own, unsecured systems, they can expect to be fined and closely audited for a long time.
Hello, I'm a lurker and have been had over too.
5 transactions in total, for O2 and Vodafone prepay.
Just cancelled my card and bank are refunding, not sure whether CRC are taking responsibility for this security breach?
So I ordered some shock bushes, got sent the wrong ones, had to pay for Saturday delivery so I could ride that weekend, then I get money stolen. GOODBYE CRC I'll not use you again!
There are a couple of ways I can think of that CRC's customers have been defrauded without any evidence of tampering on their servers...............The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC
of course, some of them may well have clicked though from here 😉 - just saying like 🙂
It's uncanny Mark - my last order was £57. With that kind of insider information, you have to be under suspicion...
Um, not sure why people are trying to extrapolate any kind of numbers - CRC aren't likely to even know how many people have been affected until they work out how the information was accessed, given that some won't even notice, and many won't know to tell CRC. However, I did some maths of my own, and I've decided that 1580 people have had their data stolen, based on the fact that 10% of people would report that they've been scammed on the STW site.
I reckon if that is the the final disclosed figure I should win a trolley dash round the CRC warehouse, plus 30 quid in mobile phone credits.
based on the [b]fact[/b] that 10% of people would report that they've been scammed on the STW site.
This is what I'm always, almost obsessively, wary of..
The use of the word 'fact' when what you mean is 'my assumption based on......'
Once we start using the correct and consistent terminology then we can start to properly debate the values and through that come up with better conclusions and a more accurate picture of what is really going on.
All we have done so far though is show that CRC's last communication that included some numbers is reasonable.
...using some assumptions based on.. 😉All we have done so far though is show that CRC's last communication that included some numbers is reasonable
The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC. When they click on the link, they would be connected to a site owned by the attackers, which logs the information entered and passes the request on to the real CRC site. The results of searches and the final order details would come from CRC, but be passed back via the fraudulent site. The shopper would never know that they're not dealing with CRC.
Perhaps I too am a coincidental, but I activated my £10 voucher at work (by clicking on the email) and placed my order with CRC using my home PC (using a favourites link).
Only the banks know the numbers involved and despite what was said earlier they don't cancel cards and single out a particular retailer without good reason.
Just had a phone call from my credit card company. I would appear to have joined a less than exclusive club! £30 at Domino's Pizza!
Used CRC last week.
Card in the bin.
Not best chuffed.
As an affected customer I have received the email. This thread is getting too long for me to digest, have Chain Reaction sent the email to all potential victims or just those known to be affected?
I'm glad to see it has made the news on the site.
I also don't think there is any point doing the math when you're starting with assumptions (regarding the percentage of customers affected).
Sorry Mark, probably best to assume that when we say "fact" on here, it's with tongue firmly in cheek. 😉
The only point I was making with my post was that all of the "math" on this thread is statistical flimflammery.
...using some assumptions based on..
The only point I was making with my post was that all of the "math" on this thread is statistical flimflammery
The math was based on their audited annual accounts and their own claim re 0.1% of orders affected.
I wish they'd hurry up and sort it out.
I want to order something that no one else has in stock. 😐
Use paypal.
Add me to the people who've used CRC recently and also had some dodgy transactions go on their CC, T-mobile top ups in this case. Cancelled my card straight away then got a call earlier today asking if the £138 sky sports subscription was anything to do with me! I'm no expert in the matter but that seems a strange thing to pay for with stolen credit card details! The SS subscription wasn't anything to do with me, just in case you were wondering.
No email from CRC for me (yet) though not convinced it was definitely their fault.
It's even more annoying if it is your debit card. I can't actually get any money out so having to beg/borrow money at work to be able to eat (no card machines)
I wish they'd hurry up and sort it out.I want to order something that no one else has in stock.
ditto (which is strange, cos most things on their store that I was interested in always seemed to be OOP or OOS).
my order from 27/2 arrived promptly yesterday morning
I don't want to use Paypal (50% chance my other card was scammed thru them).
PS don't know why people are extrapolating forum post numbers to try to gauge how many people got caught up in this scam. You won't get more accurate than "many hundreds/thousands" out of "many thousands/tens of thousands" of customers, and even CRC probably won't ever know an accurate number, since many won't have put 2 and 2 together, and "many" would have cards pre-emptively canceled by bank who weren't directly affected.
LOL @ assumptions it's keyloggers!
(Seriously?)
If the attacker could copy the data to USB, then CRC would need authority to store the CC details on non-volatile memory (hard disks, basically). Often, a company might only have authority to keep the CC details in volatile memory (RAM), only used for processing the data - then discarded instantly. They have to comply with PCI standards.
The attacker would require a service to run, undetected, to monitor the RAM for CC details (common strings, like length, format, etc).
IMHO, it's most likely their CC database was not encrypted (when it should have been!), to acquire the sheer quantity of CC details.
Just had the phone call from my credit card company, £2350 went out to swiss air in switzerland today. It was a new card, only used it a few times at chain reaction cycles! Dont think I will be using them again!
I'm no expert in the matter but that seems a strange thing to pay for with stolen credit card details!
When my wife's card details were compromised, someone booked a hotel in Brighton for the day we discovered the fraud. The bank said there was no point in telling the police that there was a hotel room with people who were using a stolen CC because they wouldn't go and try to talk to the people. Not sure if that's true or not but it seems like a missed opportunity. Go to the hotel at 5am, get the buggers out of bed and drag them down to the station for a chat. At the very least, it'd make fraudsters a little more wary of ordering goods that needed delivery or even hotels, holidays or what hve you.
For the last couple of days I've been waiting to see what's happening with my current account, as on 16 March one test withdrawal for £1 followed very rapidly by another for £1282.95. Apparently it's in clearing and bank have to let it go through to track. I haven't used CRC during the period identified above, but have a lot towards the end of last year - so maybe details harvested then?
If it's not CRC, suspect Merlin or Bike24 or just an amazing coincidence?
I shall be more careful in future!
The Police should have gone round to Domino's and grobbed in the pizza that was ordered on my card.
Agreed xiphon. My money is on SQL injection attack has led to CC numbers from database. The hacker then uses these numbers on sites where you can repeatedly try with different details but the same number this allows you to gain expiry date/CV2 whichever is missing.
I think mark should change his tag from resident grumpy to resident detective
What do the numbers matter like I said earlier 1 or 1,000 people affected I would hope Crc would treat it the same and investigate fully anyway a security breach is a breach no matter how many people are affected
I think the point was people were questioning CRC's statement of 0.1% of orders being affected. The math based on stated turnover and order value showed that it seemed in the right order of magnitude given the known reports here.
O2 removed £30 from my account after I used CRC. Card was new and I don’t use O2. The bank sent me a letter and a new card.
Ok Damo based on reports on here but if you google Crc credit card fraud you will find cases in new Zealand France Spain Finland and all around the world I bet they haven't posted here you can do calculations based on so many assptions but they neither prove or disprove anything unfortunately I believe cases reported here are only the tip of a much bigger iceberg and like others have said if Crc don't yet know the source no one can guess on numbers affected
Ok Damo based on reports on here but if you google Crc credit card fraud you will find cases in new Zealand France Spain Finland and all around the world I bet they haven't posted here you can do calculations based on so many assptions but they neither prove or disprove anything unfortunately I believe cases reported here are only the tip of a much bigger iceberg and like others have said if Crc don't yet know the source no one can guess on numbers affected
If that's the case then it shows that CRC are under-reporting the cases at 0.1%, i.e. there are more than 0.1% of orders affected.
So....
Not wanting to trawl throught 700 odd posts,
Payments to CRC via:
Paypal = OK
Credit card = compromised
?
Or am I missing something?
Hmmm,
I've not been through all the pages but I have had my Bank Card Details stolen. 🙁 Visa Debit incase you were wondering.
15gbp was taken and used to top up a pay and go 02 sim card, somewhere in London.
I am not sure if it was CRC that lost the details. Fraud guy at RBS said that there are many ways they can get your card details.
I have passed my information on to CRC, who knows it may help them catch the thief that did this.
Hope everyone else manages to get their money back and getting your new card is not to difficult.
In future I will try checking out with paypay, I think that is safer but honestly I am not sure 🙁
Nick
Right, what i want to be able to do is remove my details from their site.
Im sure that when you log in your credit card details are stored there are they not? Im not going to try buying something and may be incorrect but im sure the card details were held.
If not then i still want to remove my ligin details and it wont let me!
Another victim here, MBNA fraud phoned me a couple of days ago to tell me that £700 had been spent with Mamas and Papas! At least they were on the ball and realised it wasn't in line with my 'usual' spending and stopped the payment.
I've had the 'apology email' from crc. I haven't contacted them direct, but I have posted on this thread as affected. My user name is pretty obvious to link to my crc account.....but I still assume that the 'apology email' has simply gone to all recent customers.
these thieves....must make a lot of phone calls judging by the 02, carphone warehouse and vodaphone purchases they make fraudulently!
Oh and a 'well done' to halifax card services. Replacement card arrived today, just 2 days after the other was cancelled.
I posted about 10 pages ago, having had my card fraudulently used. New card now so all ok. I emailed CRC this morning to state the facts and point out that I had spent a small fortune with them over the years. I got the standard email back, but was also surprised to get a phonecall update from them this afternoon - no new info, but a human voice, an apology and an undertaking to call back once they have got to the bottom of it. Now I think that is actually pretty decent.
neilnevill : they sell the airtime on
Have been away all week and back to discover my card details have been used!! Apparently 2-3K was approved!!!! 😯 They say they will remove the amounts and/or I will have to claim them back. Will get on to all involved in the morning to try sort more out.....
I've yet to receive anything from CRC.
I can handle the inconvenience of having to organise new card etc, CRC may well buy in the online purchasing facility from a third party that's been compromised.
If they don't encrypt the logs of credit card transactions then they're asking for trouble, but then how many online companies actually bother to go to those lengths?
DavidB - Member
Agreed xiphon. My money is on SQL injection attack has led to CC numbers from database. The hacker then uses these numbers on sites where you can repeatedly try with different details but the same number this allows you to gain expiry date/CV2 whichever is missing.
SQL Injection sounds about right too, if the attacker was external (i.e. not CRC employee.... can't rule it out!)
Probably been harvesting data for months, then tried to use as many as possible in a short time period.
If they don't encrypt the logs of credit card transactions then they're asking for trouble, but then how many online companies actually bother to go to those lengths?
Any company who deals with financial information needs to comply - by law - to various standards, or the payment processing company/bank won't deal with them.
Add me to the list. Hit for O2 pre pay, thirty quid only days after a CRC order. Cancelled card. Minor headache for me. Got new card.
I'm reluctant to use Chain Reaction Cycles again.
Then I warned a friend who had just ordered from CRC and, would you believe it - he was hit for O2 pre pay, thirty quid only days after a CRC order. He cancelled his card. Headache.
Paypal are going to make a killing from this!
SQL Injection sounds about right
I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack - preventing this is not difficult and everyone involved in data driven sites is aware of it as a threat... aren't they??
Mmm, only 0.1% of customers affected eh, be nice if CRC offered a nice big discount to those who've had the hassle of their card being scammed then, 20% off my next order please, afterall it's only 0.1% of their sales for that period (apparently?) so it would be nothing to them! 😐