Forum menu
Actually, dispite all this I will still be using CRC (just have today).
I use Paypal and I dont see any online shop being more or less safer than CRC is. Didnt Wiggle have an issue some time ago ?
They may never find out what happend or how, but in the meantime the CC purchases that were illegal have / will have been refunded. So hopefully people will only have lost some time and not money.
I phoned Barclaycard earlier to cancel my card, they asked why so I told them about CRC etc and immediately the bloke in Bombay starts trying to sell me Identity Theft / Fraud Insurance, a bargain at £80/year! 😯
I told him I'd just like to cancel my card, get a new one. Had to sit through another few minutes of sales spiel, then I finally interrupted and asked him if he'd cancelled my card. "Oh, why do you want to do that?"
AARRRRRGGGHHHH!
It'd be simpler just to let the bloody fraudsters have it!
Seems to be sorted now and apparently my new card is in the post. No doubt with a whole load of sales crap attached to it.
I hate Barclaycard - haven't used them for 10 years !
Just been stung myself, on a card I've not used for anything for a while... Bank asked "Can you think of any way that someone could have got hold of the card details?" so I said "Well, there's a rumour going round about one of the online bike shops". "Yup, that'll be it, I'll pass your details on to the team dealing with the Chain Reaction issue" who then said "Have you got any other cards that you've used with Chain Reaction? OK, we'll cancel them too". So CRC might not consider it proven but the professionals seem to.
For those of you that have been in touch with CRC, did you get any response? I emailed but have heard nothing back. Almost a week without any credit or debit cards, a real pita having to trek to the bank any time i need money. 😡
Just spotted this thread, I got done too. Ordered stuff from CRC on 2nd March, and card was used twice last week fraudulently at John Lewis and Stagecoach. Luckily the CC company were on the ball and alerted me straight away and stopped the card.
Quite worrying though, and seeing as this seems to be a known issue which has affected a lot of people I find the lack of contact/notification from CRC extremely disturbing. I won't be using them again any time soon.
New chain ordered through chain reaction in January few days later card was cancelled due to someone trying to top up there phone card with my details.
Last week Helly Hansen base ordered through chain reaction, yesterday my new card was cancelled again.
I run windows 7 with chrome and mcafee.
No response from CRC either... Bit of a pee take!
Barstewards just got me - order placed last night, fraud dept call this afternoon. Vodafone top ups and £350 of online menswear.
This is clearly more than a coincidence - CRC need to do something to sort this out.
Took a call today from "Al" of CRC to VM at about midday, then again at about 13:30. Friendly and helpful. Advised that CRC is using an independent company to investigate. Didn't admit to it being a CRC problem (from a legal prejudice point of view, I understand this). Has offered to keep me informed and flagged my account accordingly. Advised that they strongly believe, there have been no hacks involving Paypal transactions (did not guarantee, but see my above comment ref legal prejudice and all that). He mentioned that some postings on forums (fora?) allude to compromised Paypal transactions but that those they have been able to investigate have been erroneous. (Que to post for anyone who knows different...)
Apologies were offered for the problem and the delayed response.
Finally, he mentioned that staff were tasked to get in touch from Friday and they are working through the backlog.
All in all a very satisfactory call. My faith is now partially restored. Full restoration is on hold pending the ultimate explanations received and action taken.
Let's not forget that if this is a CRC issue (which seems likely, but is not proven), then CRC is a victim of crime as much as we are. Let's not punish them for that. If their response proves to be inadequate though: now that is a different matter. Time for CRC to step up to the mark, I think...
PayPal uses unique one-time tokens for a transaction.
No token can be re-used again, to authorise a payment. Can only be used in regards to refunds of the transaction.
At no time does CRC ever know the CC details on the PayPal account.
When you type in your CC direct to CRC.... thats another matter.
Rats!
I got hit too, thankfully I finally decided to read this post and check my account.
They got me too.
Ordered something from CRC for the first time in at least a year and a couple of days later my card was declined due to fraud. After talking to the bank there were 3 attempted transactions that weren't mine; a garden centre, a hardware store and something else.
I had to buy something on CRC today even though my card details were stolen a few days ago. CRC assured me that the problem was over and no one has had any problems since the 8th.
Is this true? Very helpful on the phone by the way.
Its a shame about there piss poor returns dept. XT 10speed cassette need to be sent back for a week / 2 and it 'might' be replaced. Unfortunately I have a race in the weekend so have had to buy a new one. 🙁
I emailed CRC on Saturday and I received a phone call from them today. Very understanding and helpful, they assured me that they are investigating. Also offered to keep me informed and flagged my account.
Crikey ... 😯
I've had two cards compromised in the last week, both of which have been used for CRC in the space of the last month. I can think of other common purchasers for both, but in light of the length of this thread I thought I'd add my twopenny worth.
Jansey look at ilkelypeter's post ordered last night done today, I'd say the problems ongoing.
Shock horror, my wife (none cyclist) has reminded me of the time her account was compromised after shopping in TK Maxx. Dam that CRC.
Had the same at the weekend, phone call from the bank to say over £1000 had been spent at John Lewis and they tried to take another £450 but the bank stopped that one. Card now cancelled and waiting for a refund, had ordered from crc last week, definatly using paypal from now on
I phoned them up today to advise them my card has been cancelled as I have stuff on back order and returned, I got put through to a women called Linda and asked her what the situation is, I got the same response as Mudglutten got, they are aware of the problem, they have an independent security company investigating the problem and they will be contacting customers. They are aware of the posts on this forums and other forums.
There are a set of standards that retailers have to comply with otherwise the banks refuse card transactions from them. These standards are refered to as PCI (Payment card industry) Security Standards. Retailers have to appoint an Accreditor who makes a lot of money reviews the retailers security and passes them as compliant
Depends on the volume of business. You can effectively self-certify up to a level of transactions and wouldn't need to get outside people in to audit that you haven't got unencrypted card details stored. Of course, all you need is a developer who turns on some sort of debug logging and hey-presto, they can skim everything from the system. Not saying that happened here, but it has elsewhere.
xiphon - Member
PayPal uses unique one-time tokens for a transaction
Mostly true. There are ways to do repeat billing transactions with PP but they'd show up as CRC doing another transaction so it wouldn't be a random punter (even assuming PP cleared CRC for reference transactions). So yeah, another person who deals with payment systems 😉
Luckily the last time I bought from CRC was 2007.
Got home today to a letter from Egg telling me my existing card was being canceled as of tomorrow. I have bought recently from CRC but last time was via Paypal. Seems they are being ultra-careful, but I am annoyed that I am now put in the position of having other orders for stuff put at risk through as my card won't work.
This has happened to me today, HSBC phoned me advising that £20 has been used to top up a phone.
Used CRC last week so ties in with CRC's securitys issues.
brother in law ordered new rim last week, got call yesterday to be told £650 had go from his account etc etc , glad I told him about this thread on saturday!!
I started the thread "No CRC Security issues" asking everyone who had used CRC recently but had had no fraud on their card to post.
I have now had some fraud on my card.
3 March Card charged by CRC
14 March £1 fraudulent payment to britishredcross - approved
14 March £134.95 fraudulent payment to Carphone Warehouse - attempted twice and declined.
Have used the card for 4 other online payments in the last month as well as for supermarkets, fuel stations, car insurance renewal and Halfords.
been checking my account since this broke and looks like 2 transactions for £15 have been taken. will speak tpo bank tomorrow.
Two questions -
How did the bank know the attempted Carphone Warehouse transaction was fraudulent?
How do the fraudsters use the credit card details? Do they have to make a fake card? Is there enough information from just the details you fill in online to do this?
As others have said remember that CRC are the biggest vicitms here - they must be losing significant sales, and it may not be their fault at all.
They got me too! Ordered a number of things from CRC last week and and recieved a call from the bank at the weekend.
Who ever is doing this is never going to run out of credit on their T-mobile account!!
I think an email to CRC is in order.
How did the bank know the attempted Carphone Warehouse transaction was fraudulent?
They get picked up by systems looking for certain types of behaviour i.e. small initial 'tester' payments followed by substantial ones not to the card holders address
I've posted on this thread twice explaining / ranting about this but I believe there's something significant about the way it happened to me.
I initiated the card transaction by email. It was a refund that I had requested from an order that was never delivered.
That to me rules out any Keylogger / Trojan concerns.
If someone had intercepted my details a month previous to my refund, why would you wait till after the refund was issued ? It must be pointed out that no other purchases were made in the meantime.
I use Bluepoint A/V btw, which Is only one of a handful of A/V programs that picked up the banking Trojans.
If my card details were held on file for a month, where could they be accessed at ?
How are the refunds performed? Does CRC do the refund transaction onsite or is it done by a third party off site ie an ecommerce company.
I have no idea I'm just a raggy arsed engineer & biker but it would be interesting to know.
and just got me as well. Not O2 this time (it's a EUR card) but rather two tops ups in spain and then a couple of hundred EUR on something else.
fluffykittens - MemberCard fraudulently charged with 2*£15 O2 Prepay.
I had identical charges against my card last month but had no recent CRC purchases. Mind you, I always use Paypal for those.
My bank's fraud dept told me it was commonplace right now with gangs often storing card details over a 3-6 month period then using them all in a one off shopping spree.
Got me too. Train tickets in spain 🙁
I wonder if the plods involved it might explain the surprising lack of meaningful information from the marketing machine that is CRC.
It was a refund that I had requested from an order that was never delivered.
That's interesting. I have something from my order that was purchased on a card that was scammed and has now been stopped and replaced, I contacted CRC about how they would refund my payment as the card has been stopped and this was in the email I got back:
[b]'We would ask you to update your card details in your CRC online account.
Once we have the new details we will be able to process the refund as soon as we process your return.' [/b]
Mmm, not sure I want to do that at the moment thanks! 😯
I did ask if they could paypal me the refund but they didn't answer that, but I might insist.
can I just say - having just read the first 2 posts of this thread - I had 2 £30 charges for 02 prepay too.
Thank you and good night.
We would ask you to update your card details in your CRC online account.
I didn't think that CRC held any details other than the billing address; hence one always has to input card number/expiry at the point of order. There is no facility that I can see for storing/updating card account details on CRC.
There is no facility that I can see for storing/updating card account details on CRC
Yeah, I can't see anything either, I'm sure there used to be? I think someone else posted that the 'remove card details' option was no longer there, when my card got scammed it was one of the first things I did but when I clicked on it it stated no card details held, think I'll email CRC back and see what they have to say?
[quote=stu1972]I initiated the card transaction by email. It was a refund that I had requested from an order that was never delivered.
That to me rules out any Keylogger / Trojan concerns.
Never send credit card details by email. It is not secure. It is like writing them on a postcard and posting it.
Nobody can dispute CRC are potential losers here. But the decent thing would have been for them to have fessed up and emailed all their recent customers days ago. And put a notice and apology on their home page.
Yeah, I can't see anything either, I'm sure there used to be?
Not that it means a great deal, but I can't remember CRC ever storing card details (other than a billing address). I have a vague memory of an explanation somewhere that not storing card details was a part of their online purchasing security. Cards are verified at the point of purchase and have been for as long as I've used CRC, which will be four or five years.
Maybe they don't store any details online or in online account information, but I'm just curious now as to how they can make refunds then, I'm guessing they must have something stored somewhere? How do they refund to my account without the card details I piad with? (unfortunately this is the first time I've returned something as it's the wrong size) ❓
They should just be able to refund to the bank with the transaction ID that came from the purchase.