Forum menu
Reading the info on o2 that Mark posted it's hard not to conclude they have been very happy to turn a blind eye to fraudulent "test" purchases of airtime for more than 10 years.
How can such a big company get away with this sort of nonsense for so long?
Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I'd have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
It's clear that they don't want take a short term hit on profits but the long term damage could be a lot worse, and I hope it is the way they are behaving. Anyone emailed Watchdog yet? 😀
I realise that Mark is seeking to redress the balance against a mob convened kangaroo court, which is quite understandable.
However, I got scammed nine days after using my card at CRC. I haven't used my card anywhere else in the last four months, nor do I do any online purchases on anything other than a secure PC which is regularly swept for malware and viruses.
I do understand that a web security breach at CRC may not be entirely under their control, especially if they sub out their payment processing. That said, as a customer I will be thinking very carefully before making any purchase from CRC in the future and I'll feel an awful lot more comfortable when the full circumstances of these breaches are in the public domain.
Well - I stood up in the initial few posts on here and said no way it's CRC (probably related to why I no longer work in IT).
As luck would have it I got a new card today (new number, start / exp and c v v). I've no real need for it (or used the old one in months / years). Should I go and buy something from CRC and see what happens?
Just seen this thread, not the biggest forum follower, and last monday 7th bought ticket to marathon race in july on CRC, late next day i get all call from bank about attempted £30 O2 top up. full credit to My bank, Lloydsttsb for alerting me, as usually their a shower of s***. will be much more careful from now on. take care out there.
Well, guess what.
After posting this link round mates and finding out one of them has been scammed, I have just checked my online accounts. And lo, 2 x £15 O2 prepayments have been processed on 15 March.
HOWEVER - this is my DEBIT account, this is absolutely not used for online purchases, my CREDIT card I use at CRC seems ok (last crc purcahse 19 Feb).
In fact all purchases (online and over the counter), of any description, are run through my credit card.
Other than big companies like IPC media, virgin media etc.. for DD;s the only other internet companies that know my debit account details are Paypal and topcashback.
I have never used my debit card to purchase from crc....maybe it is a coincidence and just a massive scam?
Thankyou to the OP though, you made me proactively check and spotted it when it was only £30. (no proactive phone call from lloyds for me though)
[b]Mark[/b] it is a good and honourable thing that you are doing trying to put a different viewpoint here, but it does rather ignore the fact that the Credit Card houses themselves have - according to lots of posts here and elsewhere - recognised that there is a particular problem with CRC at the moment to the extent that they are pro-actively cancelling people's cards, and are able to guess at CRC being involved when people ring up to report scamming?
Given that this is really a bit of a bike news story now - and that you are a journalist writing for a constituency of 470000 unique users a month - what other than an admission by CRC would it take to make you put something about this on your ST home page?
There's no way I'm ordering anything else from CRC until they come out and say what's happening.
road.cc have essentially said that until CRC fess up, they won't be writing about it. Theres nothing on Bikeradar either so it's not just Singletrack. Someone needs to be getting the message out wider that there is a legitimate concern that the CRC credit card payment process has been compromised (by all means tell people to pay with Paypal of course).
I'd threaten to not buy any more from CRC but I've not bought from them since 2007 so I guess I'm not a key customer
Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It's a small piece in the puzzle but it's a piece regardless.
[b]Mark[/b], just because there is a lot of people here with 02 problems does not mean this is the only thing it tells you. I'm actually surprised it seems most people here are noticing the fraud on their own, but I guess that says more about your banks then anything else...
In Finland on the biking forum the CRC thread is not full of people noticing dodgy transactions, it's full of people who have been contacted by their banks notifying them that their cards have been disabled as a security measure because they believe the card info has leaked. I guess this is a difference between how these cases are handled between our countries (in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond).
The only common denominator between these people is that they have purchased from CRC, actually there are several who have not used the credit card for anything else.
I don't think there is really any doubt here.
(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)
The banks customer [b]always[/b] ends up paying somehow - they will factor in these costs into their business model.
Mine done as well. A 98Euro spanish rail ticket was purchased which drew attention to Natwest who promptly stopped my card. Since the CRC order, there's been 1 amazon order, a couple of Sainsbury internet orders & 1 orange mobile top-up and the rest are normal high st / petrol station transactions; so a link can be drawn to CRC. Maybe it is 2+2=5, but a link none the less.
Whilst CC fraud happens all the time from various sources this is looking more and more like a compromise at CRC. If it turns out they've stored CC data in a database unencrypted (a la Lush) I hope the PCI come down on them hard. I've been involved in securing banking and insurance company systems and there are some fundamental things you need to do and stuff like DB encryption is relatively cheap so there's no excuse.
Assuming it wasn't an inside job then the entry point into CRC would be interesting to know as well (but will likely never be revealed). If it was a sophisticated zero day exploit then fair enough no system is 100% safe (that's why you do defence in depth and encryption) but if it used a known exploit down to lax security management then I hope there will be P45's issued.
+1 FuzzyWuzzy
Just got off the blower to CRC after sending them an e mail last Thursday .They are still working on the cause and as soon as they have any news will be contacting people and posting statements on line .
The banks customer always ends up paying somehow - they will factor in these costs into their business model.
It could also be the shop who ends up paying...
CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
So in Janesy's case, after having his first card cloned he was assured that the problems were resolved. Then low and behold the second card he puts through them is also cloned.... So what's the probability of that happening by chance..... 😯 !!
Just had my card hit with £2500 John Lewis bill. I've only used this particular card once in the last year (three weeks ago) and it was buying from Chain Reaction Cycles. Thats not to say that the card details were not harvested before that but...
Got hit this morning for a few small tester transactions. Card company called me - which was good of them.
Credit card order to CRC on 6th March - card only used abroad apart from this transaction (scammed transactions were domestic BTW).
Amusingly, the fraudulent transactions seem to be from a provider of payment services for adult sites.
(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)
As I understand it, any fraud using a credit card or visa/mastercard debit card is paid for by the bank (or charged back to the retailer). We all pay for this protection through high card charges for retailers that are passed on in the price of goods purchased.
Lloyds have told me I need to fill out a fraud form they are sending me, and return to them within 14days or they won't refund me the dodgy transactions.
The missus has checked her cards & accounts and they are fine so pretty sure it isn't a keylogger on our laptop.
It's been reported on theregister this morning:
[url= http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/ ]TheRegister[/url]
Thanks for that link to a news item Farmer John.
Because of what I regard as Chain Reactions tardy response, I've been sitting on my hands forcing myself not to contact responsible agencies / journalists etc. What has stopped me doing it is that I am Northern Irish, which means I apply some 'local bike shop' goodwill to Chain Reaction. Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC's - key loggers etc. Not very likely as I run linux.
Something else is bugging me - why aren't Singletrack running this as a news article? What matters more, informing readers or protecting advertisers?
Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC's - key loggers etc. Not very likely as I run linux.
Not going to go back through the whole thread, but was this actually the case? I thought the dude who said about weaknesses on user PC's was actually the guy who ran the IT company CRC use?
Waderider - Mark's post [url= http://www.singletrackworld.com/forum/topic/is-mtb-journalism-proper-journalism/page/3#post-2385072 ]here[/url] explains why they've not put it on the front page yet.
Thanks WackoAK - I don't think that is a reason for not having a story. Regarding the director stating the problem with users PC's, it is something I have read on several places on the net. So yes, it could be rumour and lies.
We have asked CRC for another update. As soon as we have something new to report we will.
just been on the phone to my bank (nationwide) and they are stopping all cards that have had transactions with chain reaction cycles in the last 10-14 days, compromised or not.
They are also being investigated by the bank, so I have been informed.
[quote=Jamie]Not going to go back through the whole thread, but was this actually the case? I thought the dude who said about weaknesses on user PC's was actually the guy who ran the IT company CRC use?
The poster was claiming (not directly... but their name + location indicated so) to be the MD of the company "Export Technologies", who provide the e-commerce platform.
CRC carefully worded a response to STW, neither denying nor confirming the above to be true.
Hi Folks
Just want to give you an update as you may have missed our earlier statements.
[b]What do we know?[/b]
We know that some of our customers have experienced credit card fraud after placing an order with CRC.
[b]When did we find out?[/b]
Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.
[b]How big is the problem?[/b]
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer's security extremely seriously we are taking all the steps we can to understand what has happened.
[b]What steps have we taken?[/b]
CRC have employed one of the UKs leading internet security companies to carry out immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.
[b]Card Re-issues[/b]
Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.
[b]When will CRC have more information?[/b]
We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.
[b]Can you order safely?[/b]
So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.
[b]Please contact us directly[/b]
We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.
Thanks again for your patience and support
Michael Cowan
CRC Senior Management
crccustomersupport, my bank has told me they have blocked all transactions with CRC so I couldn't order again even IF i had 100% trust in you!
Thanks for the update.
So far the investigation has uncovered no evidence of any breach
do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?
It's noticeable that CRC still don't say whether they have themselves reported the significant volume of fraud to the Police.
Oooh, made it onto the Register!
[url= http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/ ]here[/url] How exciting!
email sent
lets see what they come up with
there's absolutely no reason to assume that this is purely an IT related issue......
equates to under 0.1% of on-line orders
Somehow I don't believe you.
If it's high enough to make the banks aware of it, I would put that figure FAR higher. Unless you process something like 100 million transactions year...
Remember to encrypt the credit card database next time, alright? 😉
nicko74:
Oooh, made it onto the Register!
here How exciting!
Look [url= http://www.singletrackworld.com/forum/topic/crc-security-issues/page/16#post-2385480 ]up[/url] dude.
Very brave of CRC to come on here and comment. Well done.
However, two things;
1 - As mentioned above,
do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?
and 2 - I still find it astonishing that an issue affecting so many mountain bikers/cyclists has not been reported officially by a mountain biker/cyclist focused website which [i]" delivers a daily dose of mtb news and opinion"[/i]. This is both news and opinion and has been running for some time now.
While I appreciate that Mark is trying to [s]protect the ad revenue[/s]wait until all the facts are in etc, that's not really how "news" works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW.
While I appreciate that Mark is trying to protect the ad revenuewait until all the facts are in etc, that's not really how "news" works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW
Marks comment on 'publishing' the news story of CRC
http://www.singletrackworld.com/forum/topic/is-mtb-journalism-proper-journalism/page/3#post-2385072
Yes, I too had my card compromised after making a couple of purchases from CRC in late February. Halifax Financial Services were on the ball and called me. Card was cancelled and a new one issued, which took about 5 days. No direct evidence of a link with CRC but in the light of the foregoing, it is suggestive.
hopefully everyone who has had this problem will actually tell crc about it.
their 0.1% figure may be based on direct contact, not us lot bitching on here.
their 0.1% figure may be based on direct contact, not us lot bitching on here
Good point.