[Closed] CRC security issues?

I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack

I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack

Believe you me the hackers out there are REALLY good. I have spent years developing very secure sites working with sensitive information and we wrote layers of security traps to counter SQL injection. We also employed white hats to attack the site and find any flaws that we may have left in. They were able to do some really scary stuff and I learnt all about blind SQL injection as a way of enumerating database information. This was a result of a line line mistake by one of our devs. That is all it takes, one simple coding assumption and you have had it.

We have a Dev here at work who has a strong interest in web security - he pen tests his own work sites, to see how far he can get from 'the other side'. It's a fascinating art.

About 5% of the time, he can get in - so he re-writes the code, and tests it again.

I would not be surprised if Export Technologies IRP software had numerous security holes/bugs, yet to be discovered by their own team.

Doesn't using stored procedures for all db access, rudimentary user input checking plus having a decent security object security setup on your database eliminate SQL injection attacks?

sheffield43: no, it mitigates against them

All this so soon after the antichainreaction website springs up, suspicious eh - I mean there is a spanish connection with some of the rail tickets being bought.

*please be aware this post is not at all serious, there may be an attempt at subtle humour.*

CRC turned over £77 million in 2009. This is information in the public domain.

I have no idea how accurate the following is so it's totally open to debate but we can play with some of the numbers and use them to narrow down to the unknowns. Then we can play plug in made up numbers and see if the answers meet our expectations.

Around £6 million a month in orders
Average order value say £25... or £50... or £100 ? Lets take these 3 and see what happens.

6 million/£25 = 240,000 orders a month.
@ £50 = 120,000 orders
@ £100 = 60,000 orders

0.1% of 240,000 = 240
0.1% of 120,000 = 120
0.1 % of 60,000 = 60

We have on this site 158 complaints. That sits between average order values of £25 - £50 but we can't assume that those 158 are all the complaints. There will undoubtedly be more.

The largest unknown is the average CRC order. I could be all over the place with my guess. Maybe a straw poll of readers last purchase values will help us narrow that down to a more accurate figure. Anyway, I think the method is sound if not all the figures within it. The other unknown is how representative our 158 complaints are of the total complaints. These two figures are open to debate and supposition.

well make that 159!

just joined to say that i've been done as well. ordered a £6.99 tyre on the 8th then had a transaction on the 12th (showed up on the 15th) for £187.02 for some posh fruit drink from america!
natwest refunded me that day & know about the CRC frauds. phoned CRC who wont admit it is something to do with them (yet) but they are investigating

 

no, it mitigates against them

So is it impossible to implement a secure payment portal that's invunerable to SQL injection attacks (specifically)?

while everyone is discussing 0.1% or whatever it equates to, in terms of CRC client numbers, which is agreed that if you are servicing 5-10,000 orders a day, on an estimated £90-100m pound annual turnover, is 'minimal,' but has anyone simply added up the various defrauded values up in total from this forum? any forum?

That may focus the mindset of the subdued cycling media ?
It's often reported fairly quick when CRC were the victims of various thefts...

http://www.chainreactioncycles.com/News.aspx?NewsID=1532
http://www.singletrackworld.com/2011/02/nigel-page-has-seven-bikes-stolen/

Forgive the criticism, but card fraud, credit, debit or however produces a victim, whether thats CRC, the customers, or collectively, all of the shoppers who ultimately end up paying for the crime by increased costs at all levels.

(unsure whether debit cards users, are generally protected/notified as to the rights of credit card users?)

Cycle Outlet falls victim/suffers credit fraud of 'x pounds' amount may have more of an 'impact' in capturing the focus of this thread, rather than a standardised line 'a minute percentage of our daily customers relative to our large sales suffered an inconvenience' Meaningless insulting corporate drivel.

So is it impossible to implement a secure payment portal that's invunerable to SQL injection attacks (specifically)?

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection. But if your procedures are crap then vulnerabilities will arise, I can show you examples if you like of poor coding that will lead to this. I've also seen security classes that have introduced vulnerabilities and all sorts of other tosh. The number of times I've heard people say "Oh..we are safe from that because we've implemented <insert fashionable security package X>" ..when the safest path to a properly secure site is to design security in ground up AND constantly review and attack the source code.

Got a mention in El Reg today.

http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection

I just saw that Cougar, its news now, personally I've not had any problems, but then I've not bought from CRC for about a year and a half, only because I'm skint though 😀

That is not what I said. The common misconception is that you implement stored procedures and bingo, don't worry about injection. But if your procedures are crap then vulnerabilities will arise, I can show you examples if you like of poor coding that will lead to this. I've also seen security classes that have introduced vulnerabilities and all sorts of other tosh. The number of times I've heard people say "Oh..we are safe from that because we've implemented <insert fashionable security package X>" ..when the safest path to a properly secure site is to design security in ground up AND constantly review and attack the source code.

Bingo. We run a pretty busy website with hundreds of millions of monthly clicks. We get attacked a lot so we try to stay on top of things. We have many layers of security, but all it takes is one tiny mistake to open up a hole.

So basically you have to try to stay on top of it, and keep maintaining quality. Unfortunately the one who actually wrote the code might easily not notice it. Automated tools might not notice it, and often cost 10000€ per year per computer. maintaining a team of people just for that is also quite expensive.

I would imagine cases like this will force them to reevaluate how they handle their security. Generally security is seen purely as an expense. You talk about risks, but they are hard to quantify. The only clear thing is that your developers will be doing something where the benefits (from the managements point of view) are not as clear as when they make a new great feature which will directly affect sales. However when a risk materializes it actually wakes people up, and forces management to divert development effort towards increasing security.

I need to order something, can't get it from anywhere else, so is it safe to order from CRC? I don't have a Paypal account.

Confused C_G

C_G
No, there has been nothing at all to suggest (let alone confirm) that it is safe <EDIT> with a credit/debit card </EDIT>.
Paypal does appear to be safe and doesn't take long to set up. I'd suggest you go down that route if you have an urgent need for bits.

<EDIT> I've NOT been stung, bought loads, including during suspect period, but always through Paypal </EDIT>

cinnamon_girl - Member
I need to order something, can't get it from anywhere else, so is it safe to order from CRC? I don't have a Paypal account.

Confused C_G

Yes, it's safe - if you don't mind paying for a hotel in France and some O2 Top-ups.

Suddenly CRC doesn't look so cheap....

I don't think you need a PP account to use it with a retailer

I'd stick with PP for now TBH

Yes you can use PP without an account - so you can do that to avoid using their credit card system.

Select Paypal as your payment option at Checkout... you are then taken to the paypal website to login to your Paypal Account.. Howvere if you don;t have an account there is also a 'Don't have a Paypal Account?' link on that page. Click that and it will take you to a page where you can use a card for payment. Your card details will then be handled exclusively by Paypal and not the retailer.

There is also a "bank transfer" option. Was that always there?

keep checking your credit card statements.

It sounds like the details have been sold on far and wide and are still being attempted.

Thanks very much for helpful replies. 🙂

Some of you guys may be baffled by the geekspeak in some of the more searching postings here. All you need to know about SQL injection attacks is [url= http://xkcd.com/327/ ]here[/url].

I'm too scared to click on that incase my sql gets injected.

harman_mogul - thanks for that. That's another evening wasted then 😥

Yes, it's safe - if you don't mind paying for a hotel in France and some O2 Top-ups.

Suddenly CRC doesn't look so cheap....

lol, so true

PayPal is refusing to let me pay at ChainReaction - though it's fine elsewhere...

Been stung here too. Order placed last Sunday phone call from my CC company the friday after. Again some O2 top ups in Slough. Reluctant to ever use CRC again.

Plus now signing up with paypal. Though one question I did look but do PP charge for transactions? I saw a charge of 3.4% but not sure if that was for buying from online retailers.

Just read this, perhaps it is not totally Chain Reaction Cycles fault....

[url= http://www.bl0g.co.uk/o2-uk-ltd-prepay-slough-mobile-phone-scam.html ]perhaps it is not CRC fault[/url]

PS sorry if this has been posted before.

I was wondering something along the same lines, ie. if it may not actually be CRC but we think it is because we have been scammed AND have used CRC. The problem being that the stats are heavily skewed because if you are on this forum there is a good chance that you have actually used CRC recently so the CRC link is from being a forum reader and not from them being the source of the scam?

No its CRC, they have admitted it to me on the phone.

blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

I'd rather have my card cloned

Hmmmm an interesting one. I ordered something yesterday from CRC and used the Paypal credit card checkout, all went through. Last night I tried to order online from a well-known music/dvd etc retailer and my card was rejected.

This morning I received a call from my card provider to say that it had been flagged up (I have used this music retailer before with this card) and there had been some fraudulent activity involving them. My card has therefore been cancelled and am awaiting a new one. 🙁

I ordered something yesterday from CRC

I won't be using CRC for the forseeable, even if I could pay by sending them gold plated wood cuttings.

allthepies - I did ask the question yesterday as I don't have a Paypal account and was advised of this alternative method.

Thing is, we had this with another equally well-known retailer a couple of years ago.

£292 of my hard-earned bought tickets on french railway!! luckydog no longer it seems...although HSBC refunded whilst they investigate. Bought from CRC day before...

Janesy - Member
blades2000 - but to use 02 you have to have card details. Have you read the entire thread?

Thanks for informing all of us. We can now only hope that the culprit/s are caught.

I believe O2 have updated their systems - someone earlier in the thread mentioned you need house number or postcode as well. Not being an O2 user I can't confirm this...

However, I can use the internet. From [url= http://www.o2.co.uk/webtopup/helpwithtoppingup ]their site[/url]

There is no registration process involved all you need is the mobile number you wish to Top-Up and a valid credit or debit card to follow our easy to use 3 Step process.

Step 1
Just enter the mobile number you wish to Top-Up, the credit/debit card type and the amount you want to Top-Up by.

Step 2
Enter your credit/debit card details and registered billing address.

Step 3
Confirm your Top-Up request.

So billing address is needed... therefore random card generation won't work.

Thanks for clarifying that beej. Now I wonder if that means 02 will be able to help catch the right people or if we have no hope. 🙁

I don't think O2 will be vaguely interested in chasing the culprits, wouldn't think the cops and banks will be either unless its a serious amount of cash.

beej, it only checks the numerics in the address and postcode.

well i got stung with this on tuesday while i was in turkey they topped there phone up the gits. had to cancel the card so no funds for duty free !! not impressed one bit.

gonna contact crc to cast my opinion.

My wife bought me a top from CRC at the end of Jan and 2 days later her email account went a bit hay-wire sending out random email to everyone in her address book.

It has since stopped but is this just coincidence that it was 2 days after her CRC payment or could they be linked? Has this happened to anyone else that knows they have had their bank account copied too?

Her bank account doesn't appear to have been touched.