[Closed] No CRC security issues?

Too many common fraud occurrences to be coincidence IMO.

Not me though - I use paypal.

I used CRC about 2 weeks ago and checked my account the other day when the other thread popped up. No fraudulent transactions on my card.

Used on sunday and no fraud, but also no parcel !

What happened to their great service ?

Too many incidents to be a coincidence IMO also.
Also, it's not just this thread/forum is it? Isn't there a similar thread on bike radar?

Used them on Saturday, no parcel yet, but no fraud either (been checking it religiously out of paranoia)!

Fingers crossed I'm one of the lucky ones!

i used them last week but paypal so im safe(hopefully)

frankly im amazed so many people still enter their cc details every time they order, not only is it easier to be scammed but its hassle too!

No fraud on my account, I've used them a fair bit recently but always with PayPal. Didn't Wiggle have a similar problem a while back, one of the first things they seemed to do in response was to set up PayPal checkouts? I tend to use PayPal wherever I can now. I shall be keeping an eye on both my bank account and PayPal account though, just to be sure.

I'm not sure I'd agree that there's no CRC connection though, like others have suggested, there seem far too many problems for it just to be coincidence.

There's been people who've had fraud on their account straight after a CRC transaction, with accounts that barely get used and for a couple of folks for accounts that haven't been used for anything else (apparently, usual internet disclaimers aside). That's pretty conclusive.

It should only amount to inconvenience for people though, credit card protection is pretty good.

Yeah it's not just here but bikeradar pink bike and others prob well in excess of 100 people now? That's too big a coincidence to be no connection shame because I need a load of bits but not risking it at the mo even with paypal

Thread on Bikeradar has a fella claiming he has spoken to CRC & they are aware of the security issue...

Just spoke to chainreaction. They are aware of the situation and their security team are aware of the situation. Chainreaction does look like the platform for which the details have been stolen. I urge anyway who has used chainreaction to check their account or contact their bank immediatly.

There are apparently people on other forums who used new cards for the first time with CRC who it's happened to.

Can't be coincidence

Here's some stats I'd like to see...

How many people have used CRC in the last month and how many have experienced card fraud?

The other thread contains 111 individual people's posts. Not all reported fraud. So lets say that 80 people have reported fraud on their accounts.

The issue you have to bear in mind is how many of us on here will have used CRC in the last month. Considering that in the last month over 470,000 people have been to this website. This being a mountain biking website it's highly likely that many tens of thousands of those visitors have used the services of CRC in that time since CRC are the single biggest online retailer of cycling accessories. So far we can say that around 80 people from that group of thousands have experienced fraudulent activities on their accounts. If say (and this is a total guesstimate) 10,000 people have visited this site who have shopped at CRC (2% of site visitors) then 80 reports equates to 0.8%. I'm inclined to think that in the last month many more than 2% of our visitors have shopped at CRC and so that 0.8% to my mind could be a lot smaller.

However, you spin these numbers, so far based on the very anecdotal evidence of people posting on a cycling forum, it's a very small proportion of users who have had any issues with payments.

So far all we have is a small fraction of users of this forum stating that they have experienced two things - shopping at CRC (which is not surprising since this is a bike site) and card fraud. Naturally with each person reporting that they two have shopped at CRC AND experienced some kind of card fraud this appears at first glance to add weight to their suspicions. Whether there is a link between the two is questionable in light of such a tiny sample of data.

http://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc

A happened before B and therefore A CAUSED B

But then I spend a large proportion of my day looking at numbers and finding trends - That doesn't mean I'm not wrong. But it does make me very wary of drawing conclusions based on what at first glance looks like evidence.

I noticed that Rosebikes have the option to pay via bank transfer which I thought was quite good. That way you only have to enter details in your online banking. If in Germany i guess you could even pop into the bank and pay.

Good post Mr Grumpy... love a bit of statistical explanationing 🙂

Cheers Mark, bit late though I'm sure I saw a rush on Pitch Forks and Ferry tickets!!

470,000 have been to the website in the last month? I doubt it personally, 470,000 visits maybe but they're not all going to be unique (I'm on here every day for a start); how many registered users are there on Singletrack? The fact that other people on other forums appear to have reached the same conclusion, apparently independantly, seems telling too.

It seems a significant number of problems to at least make you think about it carefully.

What an excellent intelligently though out thread. We could start another one asking how many people have driven over the limit without any negative effects, conclusively proving no link between drink driving and accidents.

Mark, your stats dont disprove that there may be risk using CRC.

Even one suspected act of card fraud is enough reason for people to wake up to security, check their cards and use safer methods of buying.

+1TuckerUK

It doesn't matter how many folk have been hit. The fact it is happening should get people in caution mode. Instead we see a post from the web people who are sponsored by the shop with the apparent problem telling us it isn't really a big issue...

What am I missing???

It is a problem and it needs resolved. As much as it is 80 people here, that adds up to a fair amount of cash for a shop. If they go elsewhere then it is a loss and likely to get felt somewhere along the line...

470,000 people visited Singletrack website?
I suggest you have a holiday away from your numbers...you are hallucinating my friend!

I used it last week, and so far no fraud.

Wasn't part of it todo with using a voucher code (which I didn't)?

@Nickname - Took about a week and a half for my card to be used. I imagine they're working they're way through all the cards they've swiped. The ****ers.

CRC have replied on the other thread

Hi everyone,

Apologies for the delay in responding to the concerns you have expressed. We do take your comments very seriously and we understand the worry and frustration caused by credit card fraud. We would emphasise that the number of concerns brought to our attention is a tiny fraction of the number of transactions that we process on a daily basis, but no stone will be left unturned in our investigations.

Our own infrastructure is routinely and independently tested and we are confident that it is robust. We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC.

We will update you with further information as and when we have it. In the meantime, if you are a customer of CRC and have been recently affected by any of the matters discussed, please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

The CRC Team

Those 470k visitors are verifiable and from google analytics. To be clear that's 470,000 VISITORS! Visits is a much larger number.. as is the 7.5 million pages we deliver every month.

Here's the actual numbers straight from todays Analytics report...

7.74 million page views in the last 30 days
1.3 million visits
476,286 visitors

In January we delivered 40 million ad impressions.

On monday this week this site logged just short of 47k visits by 31,145 unique visitors. BTW that makes this monday the busiest day on our site in our ten year history.

Anyone who would like to see our actual reports live then I'm happy to show them via our analytics account if they want to call in at the office 🙂

These are huge numbers. But they are dwarfed by CRCs traffic figures. I don't think many people realise just how many transactions CRC deal with as a result of the enormous traffic figures their site gets.

placed 4 orders on sunday
1 arrived yesterday 3 arrived today.
no problem with crc ever, either with c/card or paypal.

Did you all take advantage of the £10 money off voucher? That's where I think things happened.

Dirtbiker - I didn't use the voucher, was only a £10 order.

Good post from Mark, and good to see a response from CRC too.

TuckerUK - Member
What an excellent intelligently though out thread. We could start another one asking how many people have driven over the limit without any negative effects, conclusively proving no link between drink driving and accidents.

Err no. The other thread is trying to prove a link between the two based on circumstancial evidence. This thread is trying to point out the flawed logic in trying to establish such a link using forum chatter.

To those who say "use safer methods of buying" as far as I'm concerned credit card is completely safe. If my card gets scammed I call the issuer and they refund it. I have two cards so that the inconvenience of the card being cancelled is cut out. Having said this only two cards of mine have been cancelled for fraud in 12 years, and I use them both loads all over the place.

Two possibilities ...

1. Security breached at retailer.

2. Individual PC infected due to visiting pnro sites.

Took about a week and a half for my card to be used. I imagine they're working they're way through all the cards they've swiped. The ****ers

Generally Cards are sold by the 1000's to organised criminals, lots seem to wait a few months so that the source of the detail theft cant be traced easily (so I read) which makes a lot of sense - like most things no point shutting off the supply

[b]Mark[/b] That's ip addresses isn't it rather than actual people? Still pretty good. I access the site and forum by 5-6 different i/p addresses on average in a given week. And of course some people may be on dynamically allocated addresses - so whilst the numbers look good to advertisers - the idea that 1% of the total UK adult population visit this site in a given month stretches credulity a bit...

As too, sadly does your attempt to talk down what looks like a very clear security issue - which relates to a particular discount voucher issue many of us received (and I didn't use) and which has led to a particular pattern of card fraud even in people with very low card usage. I have not been stung btw, just checked my card.

Certainly there is no proof yet - but there is a slightly suggestive pattern. And your statement that it is a relatively low number of people who have been scammed is based on the assumptions that a) they have discovered it yet, b) they'd post about it on this or another forum.

A cynic would ask if you felt it necessary to talk down an advertisers security issue. I am sure this is not the case.

I used the £10 voucher offer & there's no fraud on my CC.

just wait.... 😉

actually no one has suggested that everyone who used it has been screwed. It will be very interesting to see what the final analysis is. But CC fraud is (news said today) decreasing if anything and this is an interesting cluster...

I take the Paypal option at checkout!
No problems!

LLoyds fraud department called me today to inform me that they had blocked a possible attempt by "global telecoms" to debit £462 from my account.
They mentioned CRC to me as a possible source, not the otherway round. I dismissed it to them, not believing it could be their site as have been using them for years with no problems. Id used them last week.
Got home stuck some coal in the pewder and fired up the forum and was suprised to find it has happened to loads of others. Yeah massive coincidence.

Ok - here's an idea for another thread.

Hands up if you've had a fraudulent transaction in the last two weeks - AND YOU NEVER USE CRC?

I used them a couple of weeks ago. But because of the other thread I thought I should check the credit card statement. Which my wife saw.
No fraud, but I'm now in trouble for spending too much money on toys. Damn!

Stoats...

IP addresses... yes, it's IP addresses but if you are going to count the dynamics then you also need to consider those accessing through a network - at work say - where only one IP will be assigned to many. Yes, IP addresses are NOT actual people but it's the best measure that any website has got right now it's a generally accurate measure - and via Google analytics at least the ruler is the same for almost everyone now.

It's also not 1% of the UK as we are a VERY global website and our traffic sources are very wide and varied.

And I'm not talking down the issue, just trying to add a little rationality to what is at this point in time just hearsay and anectodes and if you consider a relatively small number (it looks a lot but in relation to the sheer staggering number of transactions that go through CRC every day) is a 'clear security ' issue then I'm rather glad you are not a detective or a judge.. You aren't are you?

As for the cynic comment that's just nonsense. You say you are sure that's not the case but you couldn;t help bringing it up. Answer me this.. is my argument irrational or logical? And I'll further remind you that I've not said there isn't an issue with CRC but merely that adding up anecdotal comments on a forum is not the best evidence to hang a judgement on.

There's already almost a consensus that this issue is directly linked to the voucher use and yet reading back through the comments there are several posters who point out that they have lost money and yet have NOT used the vouchers. This kind of suggests that the voucher issue is a red herring, and yet human judgement being what it is (naturally irrational) many people have blocked that out and the opinion that this is linked to vouchers has prevailed.

I'm simply suggesting that keeping calm, cautious and looking at the evidence with care and rational thinking is much more likely to lead us to the source of these fraudulent transactions than simply adding up posts on a forum. Who knows.. maybe there will turn out to be a problem with CRC but it's surely a little early to be sharpening pitchforks.

just found this thread and also read the other one that this is a response to.

I ordered some stuff from CRC that was out of stock a few weeks back as price was good and I was prepared to wait for it to come in. It came in last week and the card was duly charged, and goods have been received.

I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction.

How does that work then, if companies can't store CC details; I put mine in several weeks ago but they weren't used until the goods were ready to be shipped? Where were they stored in the meantime?

That also to me suggests it's not keystroke logging or the like, seeing as if that was the case then the details would have been ready for use shortly after order was placed, whereas they only got used after the CRC transaction a while later.

If it looks like a duck, walks like a duck, and quacks like a duck, chances are it's a duck.

[img] [/img]

theotherjonv - Member
just found this thread and also read the other one that this is a response to.

I ordered some stuff from CRC that was out of stock a few weeks back as price was good and I was prepared to wait for it to come in. It came in last week and the card was duly charged, and goods have been received.

I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction.

[b]How does that work then, if companies can't store CC details; I put mine in several weeks ago but they weren't used until the goods were ready to be shipped? Where were they stored in the meantime?[/b]

That also to me suggests it's not keystroke logging or the like, seeing as if that was the case then the details would have been ready for use shortly after order was placed, whereas they only got used after the CRC transaction a while later.

If it looks like a duck, walks like a duck, and quacks like a duck, chances are it's a duck.

Companies are required to be certified if they are processing or storing (or both) details such as credit card numbers.

A company I worked for previously, only had a license to store the CC numbers in the RAM of the transaction server. They were not permitted to write the data to hard disk.

Sounds like CRC have permission to store their CC data in a database - and this server was compromised, either as a direct attack on CRC's website - or an attack on their infrastructure (wireless entry, physical entry, etc)

CRC are big fish, and will have a vast quantity of customers CC details - which makes them prime targets.

I was called yesterday by my bank querying 3x20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction

In a quick google search CRC comes up as a past target for using nicked cards as I assume it has at some point been relatively easy to order stuff to a funny address then ebay the lot

i really doubt its coincendence to be honest - its not as if were talking 2 or 3 people hit - which i could understand the point of this thread...

a whole thread on here with lets say 80 people (and numerous other forums too) have reported fraud after just using CRC within a week or so...now i doubt they have all just used CRC on their CC, but im sure the 80 reported people also dont have the same online virus scanner or lack of to blame the computer they own, nor shopped at exactly the same other online places etc etc etc for it to be considered something else - so it is way more than 'just coincendence' in my eyes...

im not sure how they can combat it, but its definitely lost my trust for the time being....

i bet a pound to a penny in a month we discover it 'was' CRC all along...

[b]Mark[/b] - thanks. I do i having acquaintances who run forums of roughly half the size of this one and understand the commercial pressures advertisers can sometimes bring to bear, and I am typing this into a box immediately beneath a Vitus/CRC advert. But I am glad to hear there is nothing similar here.

Yes - ip addresses are the best measure you have - but I think site visits are a more honest way of describing things than "visitors" which really implies individual people - which is sort of what you implied... isn't it?

It sounds from one or two of the more recent posts that the CC administrators themselves think that there may be a problem with CRC.

But whilst avoiding sharpening the pitchforks - and you don't address either of the assumptions I think you are making btw... - if you had done business with CRC in the last 2 weeks - would you be checking your credit card statement more closely?

[b]Mark[/b] - you're getting confused between 'page impressions' and 'unique visitors'

Both quite different things. One 'unique visitor' could view 20 web pages, each made up of 100 elements (images/javascripts/etc)

1 'unique visitor' = 20 'page impressions' = '2000 individual HTTP requests'

So for the STW figures you posted:

7.74 million page views in the last 30 days
1.3 million visits
476,286 visitors

= 7.74m individual requests
1.3m page impressions
470k individual visitors. <-- the important one

Its nice to see CRC posting a good response.

Still checking my card though, even though I used Paypal - seems people who used it ages ago are now getting done.

i take back what I said.

Had 2 messages on my phone from yesterday from my credit card company.

Brand new card I used for the 1st and only time at CRC and 4 attempts to buy mobile phones. One in America by a Mark P McConnell and some more from Car Phone Warehouse and Orange.

its alright for these journos like Mark though innit, they dont have to get their credit cards out to CRC, they get their stuff free on a Friday 😉
(I am joking Mark)

Seriously though it would seem there is an issue - CRC have said as much on the other thread now, where the issue is or how it happened we maybe dont know, but is that important (and does speculating about it really get us anywhere)? I started the other thread to make people aware when it all seemed to be kicking off elsewhere, how many people that read it may not have been any the wiser if they hadnt seen it and the fraud (wherever it originated from) may have gone un-noticed for even longer, even CRC didnt know originally. So surely thats a good thing, a prime example of a forum like this working for its users?
I don't think anyone is sharpening pitchforks or accusing CRC management of taking details personally, lets face it at the end of the day we are all their customers, we still want cheap bike bits and good service, CRC provide this, we will all be back shopping there once this is resolved. Many companies suffer fraud daily, this could just as easily happen to Tesco or to the little one man online retailer working out of his garden shed, just so happens this time it looks to have been CRC
And as for sizes CRC may be the biggest bike shop in the world and they may process thousands of transactions a day but in wider internet retail they are still small when compred to some others out there (and besides size has no relation to transaction processing security measures)
Using website hits to try and justify that 'its not a big problem' is frankly in my eyes not really on. It doesnt matter if one person or one million people are affected it is still a criminal activity affecting one of our suppliers (they are not a site sponsor or an advertiser - they are that company alot of us rely on to be able to partake in this sport) and the loophole is still there and needs investigating and closing no matter who has been a victim
It looks like CRC and the card companies are onto this now, so Im looking ahead and hoping that next week I can order my chainrings safely, because while the chainrings can wait I really have an urgent need for a big brown box

The other thread isn't a witch hunt its simply a load of CR customers spotting a link and warning others. You cannot measure a issue like this by posts on some random mtb forum its is totally flawed!! The posts on here are likely to be the tip of the iceberg as many people (a)won't have been hit yet (b)not seen their statement and/or not made the connection (c) and many many customers just won't use forums.

If people didn't post what they experienced, then CR would have probably be unaware there was a breach and the fraudsters would continue to cash in. 👿 Now at least they are dealing with the issue, yes bad in the short term for CRC, but good in the long term for everyone. 😉

xiphon,

sorry but there's no mistake.. We don't confuse 'hits' with page impressions. The stats are real. We deliver 7.74 million 'pages'.. that's complete pages.. if we counted the 'hits' there'd be 20 times that figure. 'Hit's' or 'requests' is, as you suggest, a rather loose and frankly useless figure that we never quote.

Count the ads on this page. There's typically 7 ads per page. In the last 30 days we've delivered almost 50 million ad impressions. Those figures are checked and double checked as most of our advertisers pay for them by the thousand (CPM) take that figure of 50 million ad impressions and divide it by 7 ads per page and you get a little over 7 million complete page impressions. Not 'requests' or 'Hits' 🙂

We really do deliver that many complete pages. Stop doing yourself down! You are part of one of the world's largest online MTB communities 🙂

What ads? 😉

7 million? Still quite a way behind PB's 70 million!!

http://radek.pinkbike.com/blog/pinkbike-speed.html

I just placed a big order with CRC last night*. Is my account going to be emptied!?

*Paid by Paypal though...

IIRC PayPal payment does not disclose the CC details to the 'seller' - they use a one-time unique token system.

Buyer has £10 in his basket, and wants to pay via PayPal.

CRC ask PayPal to authorise £10 from Buyers account.

PayPal says "Yes - transaction complete - here is a unique number for this payment collection"

CRC says to buyer "PayPal have said yes, and debited your account on our behalf"

CRC sends items purchased.

PayPal send CRC the money.

Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.

iv not had any problems and always pay by pp

altho mum used amazon a few years ago and has had a credit card opend up in her name in the states using her uk address.

Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.

My Paypal is linked to a debit card that is only used online and only ever topped up with the amount needed per transaction. No money in the account = no use to anybody should they obtain any of my details.

Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised, surely this has got to be more than coincidence?

I can't help thinking that Mark's first post on this thread was prompted by a phone call that went something like...

[b]Lord ChainReaction[/b]; We've noticed a dip in sales. Do something about it.
[b]STW Minion[/b]; Yes Sir, very good Sir, I'll get somebody on to it right away Sir.

Pure speculation of course. I'd like to see the current spate of [i]reported[/i] frauds put in to context with [i]known[/i] typical fraud frequency.

Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised,

I remember when it were all fields round here, and the name "wiggle" could be seen burning on the pyre.

The great wiggle fraud battle of, what, 2008/9?

Stop doing yourself down! You are part of one of the world's largest online MTB communities

Careful, the nicheness-halo might slip! 😀

Anyone had any more issues lately? I bought some stuff from CRC in mid March (from NZ)and found some one had bought almost a grands worth of stuff from a printer ink company in Italy! It's a bit of an inconvenience having to change all the DD and getting the cash back.

This is the first time that i have ever been a subject of CC fraud.

Coincidence, or something more sinister?

I'm not interested in all the stats - is it safe now?

used my card 2 days ago with them.

bank cancelled it just to be safe ! :@

I'm not interested in all the stats - is it safe now?

I got this from CRC. They think it is resolved.

[i]Hi,

Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

PARAGRAPH REMOVED ABOUT MY VOUCHER

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management[/i]

My card got done on Wednesday this week. $1 to a US company and the £20 on a mobile top up. M&S stopped both of them but it's the 2nd time this year for me. Didn't initially connect the first one with CRC but the pattern matches the second one. Card and security number was new in Feb and there was one CRC payment on the last statement so it could have been harvested some time ago or it could be nothing to do with CRC. No comment from CRC although I have emailed them.

Who knows.

used CRC in the first 2 weeks of March, think it may of been the 9th and had someone try and get £130 of goods a week later. used CRC last week and nothing now. so they problem has been solved and i do belive it was something at CRC's end and they have admitted it.

[b]Hi,

Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

We would like to offer you, by way of an apology, a £30 on-line voucher for use when you next come back to shop with us. The activator for your voucher is the email address you have received this email to. Simply input your email address into the e-voucher code box at the checkout to receive the discount.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

[/b]

so i don't know why your trying to say it wasn't them?

just received my statement and been stung for just over £200 to one site, plus 50p ish I think to a US site. which both went through. Last order to CRC was first week of March.

Yup, just posted on t'other thread, but I got done after spending with CRC on 24th March. The frauds started coming through about 16th April, and there were many.

N.B. This was a new card.

it really doesnt look like CRC is safe despite Mr CRC's public statement

Merlin have some cracking deals on...

There is no legal requirement to process CC details in a certain way. There is the PCI-DSS standard (industry-led, not legally) which companies are expected to adhere to, otherwise Visa and Mastercard won't work with them.
One very specific part of that standard is that card details must be encrypted when they are stored, and that the security code [i]cannot be stored at all, encrypted or not[/i].

The fact that so many authorisations have gone through suggests to me that those rules aren't being adhered to.

EDIT: I got gotten about 5 weeks after my latest CRC purchase.