Forum menu
clubber - MemberThat's overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( ) then it's fine.
Yes, it's overkilled which is a slight hassle but then it's only changing p/w and you can always change your p/w back again at a later date considering all the CC breached.
But there's no point or reason to do it as it's irrelevant. I could just as reasonably suggest you sacrifice a chicken.
Though I'll point out again that if you use the same email/pw for pp as you do for everything else you're asking for trouble anyway.
Hmmm I was surprised at the number of people who reported problems with other Internet sites after STW was hacked due to having the same password!
EDIT: 3 purchases here from CRC using paypal and no problems, but have changed password just to be safe!
Why would you change your paypal password? That's completely pointless in this case.
bigjim - MemberWhy would you change your paypal password? That's completely pointless in this case.
Just a precaution that's all but if you are confident that it will not affect your Paypal then don't change anything. We just don't know how advance some trojna can be nowadays.
Guess what, yes I have just had the phone call last night from HSBC, my card details have been scamed. My last transaction was with CRC 2 weeks ago. O2 vouchers £30 worth was tried but HSBC blocked the transaction as they said that my card number was on a list of many, they seem to know which card numbers have been scamed.
Paypal from now on.
[b]Chewkh[/b] you just haven't read this thread at all... have you... 🙄
No issues at all with people paying by paypal which is also the payment window for many many outlets including ebay. This is specific to CC payments to CRC. Credit Cards companies implying that it is CRC themselves who have been compromised. Very clear that this is not a trojan or a key logger on customer side. Could be a problem with hacking of the third party who provides CRCs payments system, or an inside job.
Why would you suggest something like that ❓
Do you guys have nothing better to do than argue on the net? It would be nice if the size of this thread was in proportion to the size of the issue, rather than in proportion to the amount of guff you want to spout.
World's largest online Bike Store has dozens and perhaps hundreds of scam transactions... not exactly fast to respond or fess up...and does not mention anything about it on their home page...
[b]waderider[/b] how big an issue does this have to be... on a bike forum... ?
The way CRC are handling it is almost a case study in how to not manage a problem. They are really at risk of permanently damaging their credibility and customer relationships unless they:
1. Formally acknowledge the problem
2. Tell us how big the problem is
3. Tell us what steps they have taken so far to mitigate the impact on customers who have had card data misused
4. Tell us whether the police are involved yet (if they are allowed to confirm this)
5. Tell us who is accountable for resolving the current issue and putting things right and how any improvements to site security will be communicated to customers.
Until they do these things, I suspect that many long standing customers will vote with their wallets and shop elsewhere.
The other question that arises out of this debacle is the role o2 seem to be playing in enabling compromised card data to be used for the purchase of airtime.
Presumably it's fairly straightforward for o2 to determine the channel through which the airtime is being purchased, and the phone numbers that it's subsequently used on (as well as where these phones actually are).
o2's systems seems to allow (by accident or design) large numbers of credit card numbers to be used to purchase airtime that is presumably used on a small number of phones that in turn are used in static places for low cost call operations. Surely it can't be that difficult for o2 to stop their own systems being used to monetise the proceeds of fraud?
John,
you are so right. I emailed CRC many days ago, per their post on this thread. I have heard nothing back.
So... I have just ordered 2 new tyres from those nice chaps in Portsmouth. I paid a tad more, but security's worth a few pennies.
do you think it is a small number of people who are purchasing things with everyones CC's or do you think it would be a large scale operation?
I would have though there is the ability to trace all of these in this day and age of modern whiz bang technology?
A few members of another forum (Swedish, so I guess no point in linking) have reported problems using Paypal too. There were attempts to use their accounts at other online retailers after purchasing from CRC. Don't know how much truth there is to it though, just that I won't be touching CRC for quite some time.
My card got scammed about a month ago (those small fishing transactions, luckily Nationwide picked up on it). Reading this thread i'm thinking it must have been due to CRC - i barely use my card anywhere else online. Absolute swines. I won't be shopping there again.
Warpcow - the way you pay with pp means you never actually show your pw to the retailer. You enter your pp pw into paypal itself even if you've got there via a shop. For pp to be compromised via crc it'd have to be a completely different method of fraud.
I understood that (it's my preferred method of payment in other stores), but figured it might be worth noting even if it seems unlikely. I guess it might be users having the same password for their CRC and paypal accounts.
Bought at CRC with my debit card on the 8th; had a £20 O2 prepay voucher purchased on my card this morning.
Yep but again, you really are asking for it if you do that...
Is that directed at me?
Aimed at my comment I think 😉
The "Delete Previously used Debit / Credit Cards" on CRC has gone.
If I log on I cannot find it - maybe it's me, but last time I looked I found a message that "no card info is currently held". So something is being done their end.
Out of 6 riders today - one had been hit, he had no idea of the link. Bank phoned up and said his card was one of many they were cancelling as a precaution.
Yes, aimed at warpcow 🙂
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning, fortunately it was declined. They even went to the extend of changing the password on the RBS Secure (an extra level of security for online purchases). I was only notified by an e-mail thanking me for changing my password. There will be several phone calls to several customer service departments demanding to know what the hell is going on.
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning
It was Chain Reaction Cycles that was the source of the attempted charge?
That's exactly what happened to me,only with TSB's Clicksafe system. To be fair , my money was paid back within 3 hours of contacting their fraud dept.
The way CRC are handling it is almost a case study in how to not manage a problem.
well I'm impressed that they haven't taken the Wiggle approach (we remember that one?) where all posts talking about the problem were removed with the threat of legal action (although I'll not be too surprised if this thread doesn't go missing at some point soon)
I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning,
Sorry I worded that badly, I should of said
"I ordered online with CRC last Sunday, this morning some scammer tried to hit my card for £699"
I had started to calm down after this morning, but having been made aware of this thread and then reading it, I am now fuming again.
Tim
Especially as it appears they must sponsor STW a fair bit with the ammount of ads currently on here.
Still cant undertand why they havent made an official announcement, I would hope they do tomorrow with it being Monday and a working day, its not even that they dont know this post exists!
Plus think how many use CRC who dont even use STW and are getting card swiped.
I wonder why the scammers think they could get away for using others CC, surely whatever they pay for needs to be delivered to an address and that should be a dead give away location ... 🙄 The rest just leave it to the police but yes the cost of arresting is expensive.
🙄
Just got the same issue.
Bought something from CRC a week ago. Tried ro pay by Paypal but there was an error inthe transaction between CRC anPaypal so paid on debit card. Just checked account today and got a £30 O2 Prepay debit on my account:-(
chewkw,i know a bike shop owner that got robbed of a 3k bike.the courier delivered it,signed for (with a scribble) and that was the end of it.Someone got a bike for free after calling up their bank and telling them that someone had just bought a mountain bike using their card.. then got it refunded.
you could easily sit outside someones busy street address in a car and pop out when you see a delivery driver.you could sit there all morning waiting for an expensive bike and pretend to be the occupant.
[img] 
[/img]
🙄Buy online securely with confidence on this site
surely whatever they pay for needs to be delivered to an address and that should be a dead give away location
It seems to be mostly mobile telephone prepay vouchers that are being purchased. For all intents and purposes, they are untraceable.
Before the pitchforks come out, it's worth noting that the O2 Prepay fraud goes way, way beyond a bunch of riders who think they've found the common denominator. A web search ([url= http://www.google.co.uk/search?q=o2+prepay+fraud&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a ]link[/url]) brings up incidents going back over the last few years. O2 even recognise the issue as far back as 2008 ([url= http://forum.o2.co.uk/viewtopic.php?p=68319 ]link[/url]). One post I found on moneysavingexpert.com makes this point:
So many people are so quick to accuse companies, banks, or websites, for allowing their card details to be passed to fraudsters.This is, in general, not the way it works. Large sites (e.g. Paypal) do their own payment processing, and smaller sites subcontract this out to someone like Worldpay. All these organisations have to be so very careful with our card details, as the amount of fines and worldwide reputational damage would be crippling to their business. I do not believe that these companies have anything to do with these fraud cases.
All these cases of PAYG mobile top-up fraud happen online. That indicates that a 'clone' of the card doesn't exist. So the fraud probably doesn't originate from an ATM, because a device on the ATM, along with 'shoulder-surfing', would enable the fraudster to create a clone, and this, along with your PIN, could be used for ATM withdrawals.
Instead, all that they have is your 16 digit card number, your three digit security code, and your expiry date. With a powerful enough computer, they can just create millions of different possibilities. Each of these is used for a small 'authorisation' transaction, typically for about 1p. (This normally doesn't show up on your statement, but you may notice your available balance decrease by this amount for a few days where one of these has occured.) After they get a successful one, they'll put through a 'real' transaction, for a low value. This is where you see the mobile top-up or cinema ticket.
There is nothing that we can do to stop this at the present time (without advances in technology), apart from being vigilant ourselves (so that we notice the transactions quickly and can stop our cards) and hoping that the banks do the same (e.g. Halifax phoned me to warn me as soon as my card number was used fraudulently; I think Egg do the same). And don't try to shift the blame onto random websites/ATMs that you've used recently, chances are, they don't deserve it. (Although there will always be the odd exception, I appreciate that!)
There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it's what all of the victims on STW have in common; and it's human nature to try and observe a pattern or common thread.
IN which case there would be a similar proportion of non-CRC users also being hit. But I'm not aware anyone has yet posted along those line?Three_Fish - Member
There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it's what all of the victims on STW have in common
IN which case there would be a similar proportion of non-CRC users also being hit. But I'm not aware anyone has yet posted along those line?
We aren't exactly dealing with scientifically collected sample data, though; are we? The point is that this problem has been around for years and there is no particularly compelling evidence to suggest that CRC are in any way responsible or negligent. I'm not saying for a minute that what is being discussed in this thread is definitely [u]not[/u] an example of a particular company's (CRC) security weakness; but it could be just as likely that they are completely unconnected.
Perhaps we'll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.
It's at least a week since this was reported. Why would another day make a difference?Three_Fish - Member
Perhaps we'll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.
It's at least a week since this was reported. Why would another day make a difference?
I don't know - maybe they didn't think that it would reach the intensity that it has in the last few days. That, however, and like pretty much all of this thread, is nothing more than conjecture.
So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don't count for anything then?
You did read all 11 pages before commenting I presume?
Same problems here.
28/02/11 Ordered from CRC, paid by card.
01/03/11 Items dispatched.
02/03/11 Items arrived.
03/03/11 Card charged by CRC.
07/03/11 Card fraudulently charged with 2*£15 O2 Prepay.
08/03/11 Checked online bank statement, noticed discrepancy, notified bank (Barclays), had card stopped and amount refunded immediately.
10/03/11 Received new card.
Ordered on personal PC running Linux, using Chrome browser.
I wasn't aware of the potential CRC link until Mr Fluffykittens told me about this thread a few days ago.
All a bit of a pita, and what's worse is that it was new shoes that I'd ordered and I've been too ill to use them 🙁
meh.
Fair enough about the recent comments on here from CRC, to me it does seem that CRC are waiting for people to notice a problem and then happen upon an internet forum to realise the cause rather than proactivly contacting customers to say there might be a problem.
It wouldn't surprise me if there are quite a few CRC customers who have been hit, but dont realise as they have no way of knowing, and who dont frequent the forums to find out. Surprising as it might seem 😀
It pretty clear that they have lost card data at point of receipt prior to encryption as it goes through their e-commerce system. Either through internal or external fraud. They MUST also by now have an idea of the data range of which customers are affected.
How difficult is it for them to punt out an email to all recent customers saying "sorry guys there has been a problem". Its not like they have a problem emailing customers is it?
Whether its a weekend is irrelevant IMO as they have een taking money of people all weekend. For a company their size its poor treatment of their customers and I guess a commercial disaster. Three fish has it about right what they should be doing.
So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don't count for anything then?
Of course they're investigating, and it's obvious that they'll also be considering the [b]possibility[/b] that the problem is directly related to them.
How difficult is it for them to punt out an email to all recent customers saying "sorry guys there has been a problem".
It could be extremely difficult, I'd imagine, from both a legal and commercial point of view. Nobody here actually knows the percentage of CRC's customers that have been affected, so if it is, for example, two to three percent, it would be foolish of them to contact all of their (potential) customers and tell them that their system is not, or may not, be secure. If what they have now is a commercial disaster, an admission of responsibility could be many, many times worse. I'm not sure how a public admission, or even suggestion, from them would affect their position in terms of liability.
i read about this on the website road cc forum.
i cant see it anywhere else, bikebiz or cycling news?
http://road.cc/content/forum/32203-chain-reaction-cycles-credit-card-fraud
Just been on to the bank - £1200 to johnlewis and another £600 to an online site from yesterday. My last order to CRC was on June last year so unsure if it's related or not. The guy I spoke to did say "there has been a lot of suspicious activity recently".
Ordered on CRC last week, got a phone call from the bank yesterday saying that a payment of £15 for an O2 top up had been declined.
Card cancelled.
Ordering from CRC in the future definately cancelled
From reading in a Finnish biking forum I find it hardly unlikely that this would not be directly related to CRC. There is a load of Finnish customers who have not used their card for any other online services then CRC, and they have been contacted by their banks within the last few days regarding closing the card for security reasons.