LLoyds fraud department called me today to inform me that they had blocked a possible attempt by "global telecoms" to debit £462 from my account.
They mentioned CRC to me as a possible source, not the otherway round. I dismissed it to them, not believing it could be their site as have been using them for years with no problems. Id used them last week.
Got home stuck some coal in the pewder and fired up the forum and was suprised to find it has happened to loads of others. Yeah massive coincidence.
Bike Forum
[closed]
No CRC security issues?
-
Posted 1 year ago #
-
Ok - here's an idea for another thread.
Hands up if you've had a fraudulent transaction in the last two weeks - AND YOU NEVER USE CRC?
Posted 1 year ago # -
I used them a couple of weeks ago. But because of the other thread I thought I should check the credit card statement. Which my wife saw.
No fraud, but I'm now in trouble for spending too much money on toys. Damn!Posted 1 year ago # -
Stoats...
IP addresses... yes, it's IP addresses but if you are going to count the dynamics then you also need to consider those accessing through a network - at work say - where only one IP will be assigned to many. Yes, IP addresses are NOT actual people but it's the best measure that any website has got right now it's a generally accurate measure - and via Google analytics at least the ruler is the same for almost everyone now.
It's also not 1% of the UK as we are a VERY global website and our traffic sources are very wide and varied.
And I'm not talking down the issue, just trying to add a little rationality to what is at this point in time just hearsay and anectodes and if you consider a relatively small number (it looks a lot but in relation to the sheer staggering number of transactions that go through CRC every day) is a 'clear security ' issue then I'm rather glad you are not a detective or a judge.. You aren't are you?
As for the cynic comment that's just nonsense. You say you are sure that's not the case but you couldn;t help bringing it up. Answer me this.. is my argument irrational or logical? And I'll further remind you that I've not said there isn't an issue with CRC but merely that adding up anecdotal comments on a forum is not the best evidence to hang a judgement on.
There's already almost a consensus that this issue is directly linked to the voucher use and yet reading back through the comments there are several posters who point out that they have lost money and yet have NOT used the vouchers. This kind of suggests that the voucher issue is a red herring, and yet human judgement being what it is (naturally irrational) many people have blocked that out and the opinion that this is linked to vouchers has prevailed.
I'm simply suggesting that keeping calm, cautious and looking at the evidence with care and rational thinking is much more likely to lead us to the source of these fraudulent transactions than simply adding up posts on a forum. Who knows.. maybe there will turn out to be a problem with CRC but it's surely a little early to be sharpening pitchforks.
Posted 1 year ago # -
just found this thread and also read the other one that this is a response to.
I ordered some stuff from CRC that was out of stock a few weeks back as price was good and I was prepared to wait for it to come in. It came in last week and the card was duly charged, and goods have been received.
I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction.
How does that work then, if companies can't store CC details; I put mine in several weeks ago but they weren't used until the goods were ready to be shipped? Where were they stored in the meantime?
That also to me suggests it's not keystroke logging or the like, seeing as if that was the case then the details would have been ready for use shortly after order was placed, whereas they only got used after the CRC transaction a while later.
If it looks like a duck, walks like a duck, and quacks like a duck, chances are it's a duck.
Posted 1 year ago # -
Posted 1 year ago # -
theotherjonv - Member
just found this thread and also read the other one that this is a response to.I ordered some stuff from CRC that was out of stock a few weeks back as price was good and I was prepared to wait for it to come in. It came in last week and the card was duly charged, and goods have been received.
I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction.
How does that work then, if companies can't store CC details; I put mine in several weeks ago but they weren't used until the goods were ready to be shipped? Where were they stored in the meantime?
That also to me suggests it's not keystroke logging or the like, seeing as if that was the case then the details would have been ready for use shortly after order was placed, whereas they only got used after the CRC transaction a while later.
If it looks like a duck, walks like a duck, and quacks like a duck, chances are it's a duck.
Companies are required to be certified if they are processing or storing (or both) details such as credit card numbers.
A company I worked for previously, only had a license to store the CC numbers in the RAM of the transaction server. They were not permitted to write the data to hard disk.
Sounds like CRC have permission to store their CC data in a database - and this server was compromised, either as a direct attack on CRC's website - or an attack on their infrastructure (wireless entry, physical entry, etc)
CRC are big fish, and will have a vast quantity of customers CC details - which makes them prime targets.
Posted 1 year ago # -
I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction
In a quick google search CRC comes up as a past target for using nicked cards as I assume it has at some point been relatively easy to order stuff to a funny address then ebay the lot
Posted 1 year ago # -
i really doubt its coincendence to be honest - its not as if were talking 2 or 3 people hit - which i could understand the point of this thread...
a whole thread on here with lets say 80 people (and numerous other forums too) have reported fraud after just using CRC within a week or so...now i doubt they have all just used CRC on their CC, but im sure the 80 reported people also dont have the same online virus scanner or lack of to blame the computer they own, nor shopped at exactly the same other online places etc etc etc for it to be considered something else - so it is way more than 'just coincendence' in my eyes...
im not sure how they can combat it, but its definitely lost my trust for the time being....
i bet a pound to a penny in a month we discover it 'was' CRC all along...
Posted 1 year ago # -
Mark - thanks. I do i having acquaintances who run forums of roughly half the size of this one and understand the commercial pressures advertisers can sometimes bring to bear, and I am typing this into a box immediately beneath a Vitus/CRC advert. But I am glad to hear there is nothing similar here.
Yes - ip addresses are the best measure you have - but I think site visits are a more honest way of describing things than "visitors" which really implies individual people - which is sort of what you implied... isn't it?
It sounds from one or two of the more recent posts that the CC administrators themselves think that there may be a problem with CRC.
But whilst avoiding sharpening the pitchforks - and you don't address either of the assumptions I think you are making btw... - if you had done business with CRC in the last 2 weeks - would you be checking your credit card statement more closely?
Posted 1 year ago # -
Mark - you're getting confused between 'page impressions' and 'unique visitors'
Both quite different things. One 'unique visitor' could view 20 web pages, each made up of 100 elements (images/javascripts/etc)
1 'unique visitor' = 20 'page impressions' = '2000 individual HTTP requests'
So for the STW figures you posted:
7.74 million page views in the last 30 days
1.3 million visits
476,286 visitors= 7.74m individual requests
1.3m page impressions
470k individual visitors. <-- the important onePosted 1 year ago # -
Its nice to see CRC posting a good response.
Still checking my card though, even though I used Paypal - seems people who used it ages ago are now getting done.
Posted 1 year ago # -
i take back what I said.
Had 2 messages on my phone from yesterday from my credit card company.
Brand new card I used for the 1st and only time at CRC and 4 attempts to buy mobile phones. One in America by a Mark P McConnell and some more from Car Phone Warehouse and Orange.
Posted 1 year ago # -
its alright for these journos like Mark though innit, they dont have to get their credit cards out to CRC, they get their stuff free on a Friday
(I am joking Mark)Seriously though it would seem there is an issue - CRC have said as much on the other thread now, where the issue is or how it happened we maybe dont know, but is that important (and does speculating about it really get us anywhere)? I started the other thread to make people aware when it all seemed to be kicking off elsewhere, how many people that read it may not have been any the wiser if they hadnt seen it and the fraud (wherever it originated from) may have gone un-noticed for even longer, even CRC didnt know originally. So surely thats a good thing, a prime example of a forum like this working for its users?
I don't think anyone is sharpening pitchforks or accusing CRC management of taking details personally, lets face it at the end of the day we are all their customers, we still want cheap bike bits and good service, CRC provide this, we will all be back shopping there once this is resolved. Many companies suffer fraud daily, this could just as easily happen to Tesco or to the little one man online retailer working out of his garden shed, just so happens this time it looks to have been CRC
And as for sizes CRC may be the biggest bike shop in the world and they may process thousands of transactions a day but in wider internet retail they are still small when compred to some others out there (and besides size has no relation to transaction processing security measures)
Using website hits to try and justify that 'its not a big problem' is frankly in my eyes not really on. It doesnt matter if one person or one million people are affected it is still a criminal activity affecting one of our suppliers (they are not a site sponsor or an advertiser - they are that company alot of us rely on to be able to partake in this sport) and the loophole is still there and needs investigating and closing no matter who has been a victim
It looks like CRC and the card companies are onto this now, so Im looking ahead and hoping that next week I can order my chainrings safely, because while the chainrings can wait I really have an urgent need for a big brown boxPosted 1 year ago # -
The other thread isn't a witch hunt its simply a load of CR customers spotting a link and warning others. You cannot measure a issue like this by posts on some random mtb forum its is totally flawed!! The posts on here are likely to be the tip of the iceberg as many people (a)won't have been hit yet (b)not seen their statement and/or not made the connection (c) and many many customers just won't use forums.
If people didn't post what they experienced, then CR would have probably be unaware there was a breach and the fraudsters would continue to cash in.
Now at least they are dealing with the issue, yes bad in the short term for CRC, but good in the long term for everyone. Posted 1 year ago # -
xiphon,
sorry but there's no mistake.. We don't confuse 'hits' with page impressions. The stats are real. We deliver 7.74 million 'pages'.. that's complete pages.. if we counted the 'hits' there'd be 20 times that figure. 'Hit's' or 'requests' is, as you suggest, a rather loose and frankly useless figure that we never quote.
Count the ads on this page. There's typically 7 ads per page. In the last 30 days we've delivered almost 50 million ad impressions. Those figures are checked and double checked as most of our advertisers pay for them by the thousand (CPM) take that figure of 50 million ad impressions and divide it by 7 ads per page and you get a little over 7 million complete page impressions. Not 'requests' or 'Hits'
We really do deliver that many complete pages. Stop doing yourself down! You are part of one of the world's largest online MTB communities
Posted 1 year ago # -
What ads?
7 million? Still quite a way behind PB's 70 million!!
Posted 1 year ago # -
I just placed a big order with CRC last night*. Is my account going to be emptied!?
*Paid by Paypal though...
Posted 1 year ago # -
IIRC PayPal payment does not disclose the CC details to the 'seller' - they use a one-time unique token system.
Buyer has £10 in his basket, and wants to pay via PayPal.
CRC ask PayPal to authorise £10 from Buyers account.
PayPal says "Yes - transaction complete - here is a unique number for this payment collection"
CRC says to buyer "PayPal have said yes, and debited your account on our behalf"
CRC sends items purchased.
PayPal send CRC the money.
Posted 1 year ago # -
Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.
Posted 1 year ago # -
iv not had any problems and always pay by pp
altho mum used amazon a few years ago and has had a credit card opend up in her name in the states using her uk address.
Posted 1 year ago # -
Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.
My Paypal is linked to a debit card that is only used online and only ever topped up with the amount needed per transaction. No money in the account = no use to anybody should they obtain any of my details.
Posted 1 year ago # -
Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised, surely this has got to be more than coincidence?
Posted 1 year ago # -
I can't help thinking that Mark's first post on this thread was prompted by a phone call that went something like...
Lord ChainReaction; We've noticed a dip in sales. Do something about it.
STW Minion; Yes Sir, very good Sir, I'll get somebody on to it right away Sir.Pure speculation of course. I'd like to see the current spate of reported frauds put in to context with known typical fraud frequency.
Posted 1 year ago # -
Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised,
I remember when it were all fields round here, and the name "wiggle" could be seen burning on the pyre.
The great wiggle fraud battle of, what, 2008/9?
Posted 1 year ago # -
Stop doing yourself down! You are part of one of the world's largest online MTB communities
Careful, the nicheness-halo might slip!
Posted 1 year ago # -
Anyone had any more issues lately? I bought some stuff from CRC in mid March (from NZ)and found some one had bought almost a grands worth of stuff from a printer ink company in Italy! It's a bit of an inconvenience having to change all the DD and getting the cash back.
This is the first time that i have ever been a subject of CC fraud.
Coincidence, or something more sinister?
Posted 1 year ago # -
I'm not interested in all the stats - is it safe now?
Posted 1 year ago # -
used my card 2 days ago with them.
bank cancelled it just to be safe ! :@
Posted 1 year ago # -
I'm not interested in all the stats - is it safe now?
I got this from CRC. They think it is resolved.
Hi,
Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.
The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.
The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.
We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.
PARAGRAPH REMOVED ABOUT MY VOUCHER
Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.
Thanks again for your patience and support,
Michael Cowan
CRC Senior ManagementPosted 1 year ago # -
My card got done on Wednesday this week. $1 to a US company and the £20 on a mobile top up. M&S stopped both of them but it's the 2nd time this year for me. Didn't initially connect the first one with CRC but the pattern matches the second one. Card and security number was new in Feb and there was one CRC payment on the last statement so it could have been harvested some time ago or it could be nothing to do with CRC. No comment from CRC although I have emailed them.
Who knows.
Posted 1 year ago # -
used CRC in the first 2 weeks of March, think it may of been the 9th and had someone try and get £130 of goods a week later. used CRC last week and nothing now. so they problem has been solved and i do belive it was something at CRC's end and they have admitted it.
Hi,
Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.
The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.
The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.
We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.
We would like to offer you, by way of an apology, a £30 on-line voucher for use when you next come back to shop with us. The activator for your voucher is the email address you have received this email to. Simply input your email address into the e-voucher code box at the checkout to receive the discount.
Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.
Thanks again for your patience and support,
Michael Cowan
CRC Senior Managementso i don't know why your trying to say it wasn't them?
Posted 1 year ago # -
just received my statement and been stung for just over £200 to one site, plus 50p ish I think to a US site. which both went through. Last order to CRC was first week of March.
Posted 1 year ago # -
Yup, just posted on t'other thread, but I got done after spending with CRC on 24th March. The frauds started coming through about 16th April, and there were many.
N.B. This was a new card.
Posted 1 year ago # -
it really doesnt look like CRC is safe despite Mr CRC's public statement
Posted 1 year ago #
Topic Closed
This topic has been closed to new replies.
