CRC security issues?

That’s overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( 😯 ) then it’s fine.

Cheers Chewkw.

Worth the extra £10 IMO to save potential hassle & be safe so Wiggle wins the day.

[geek mode]

Also CRC might even be blacklisted by bank due to their weak on-line security.

There are a set of standards that retailers have to comply with otherwise the banks refuse card transactions from them. These standards are refered to as PCI (Payment card industry) Security Standards. Retailers have to appoint an Accreditor who makes a lot of money reviews the retailers security and passes them as compliant. Compliance requirements include things like password protection and renewal, card detail encryption at point of entry, security of physical IT networks etc etc. Its a moving feast that changes all the time in response to flaw exploitation by criminals.

The best one I heard was the gang that installed radio transmitters in several hundred card readers in the factories in china. Only discovered by chance in the shops after they had been installed.

If their system isn’t accredited by the banks for security then the banks would refuse card transactions from them to the banks so they would not be able to take card payment from customers at all. Its the bank that takes the hit on any fraud.

p/s: I remember asking several on-line retailers how they store the CC information

Probably a retailers most guarded secret, no retailer will disclose that due to the security risk.

[end geek mode]

I do feel for CRCs customers and think CRC should come clean about this, rather than turn a serious security breech into a PR & commercial disastor (they are a top 100 retailer after all).

clubber – Member
That’s overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( ) then it’s fine.

Agreed.

I’ll caveat my post by saying that you should make sure your pp passwords isn’t the same as Crc or any other site for that matter.

clubber – Member

That’s overkill. Paypal is safe here because Crc never get any of your pp details other than email address and confirmation that you paid. Unless pp is compromised ( ) then it’s fine.

Yes, it’s overkilled which is a slight hassle but then it’s only changing p/w and you can always change your p/w back again at a later date considering all the CC breached.

But there’s no point or reason to do it as it’s irrelevant. I could just as reasonably suggest you sacrifice a chicken.

Though I’ll point out again that if you use the same email/pw for pp as you do for everything else you’re asking for trouble anyway.

Hmmm I was surprised at the number of people who reported problems with other Internet sites after STW was hacked due to having the same password!

EDIT: 3 purchases here from CRC using paypal and no problems, but have changed password just to be safe!

Why would you change your paypal password? That’s completely pointless in this case.

bigjim – Member

Why would you change your paypal password? That’s completely pointless in this case.

Just a precaution that’s all but if you are confident that it will not affect your Paypal then don’t change anything. We just don’t know how advance some trojna can be nowadays.

Guess what, yes I have just had the phone call last night from HSBC, my card details have been scamed. My last transaction was with CRC 2 weeks ago. O2 vouchers £30 worth was tried but HSBC blocked the transaction as they said that my card number was on a list of many, they seem to know which card numbers have been scamed.
Paypal from now on.

Chewkh you just haven’t read this thread at all… have you… 🙄

No issues at all with people paying by paypal which is also the payment window for many many outlets including ebay. This is specific to CC payments to CRC. Credit Cards companies implying that it is CRC themselves who have been compromised. Very clear that this is not a trojan or a key logger on customer side. Could be a problem with hacking of the third party who provides CRCs payments system, or an inside job.

Why would you suggest something like that ❓

Do you guys have nothing better to do than argue on the net? It would be nice if the size of this thread was in proportion to the size of the issue, rather than in proportion to the amount of guff you want to spout.

World’s largest online Bike Store has dozens and perhaps hundreds of scam transactions… not exactly fast to respond or fess up…and does not mention anything about it on their home page…

waderider how big an issue does this have to be… on a bike forum… ?

The way CRC are handling it is almost a case study in how to not manage a problem. They are really at risk of permanently damaging their credibility and customer relationships unless they:

1. Formally acknowledge the problem
2. Tell us how big the problem is
3. Tell us what steps they have taken so far to mitigate the impact on customers who have had card data misused
4. Tell us whether the police are involved yet (if they are allowed to confirm this)
5. Tell us who is accountable for resolving the current issue and putting things right and how any improvements to site security will be communicated to customers.

Until they do these things, I suspect that many long standing customers will vote with their wallets and shop elsewhere.

The other question that arises out of this debacle is the role o2 seem to be playing in enabling compromised card data to be used for the purchase of airtime.

Presumably it’s fairly straightforward for o2 to determine the channel through which the airtime is being purchased, and the phone numbers that it’s subsequently used on (as well as where these phones actually are).

o2’s systems seems to allow (by accident or design) large numbers of credit card numbers to be used to purchase airtime that is presumably used on a small number of phones that in turn are used in static places for low cost call operations. Surely it can’t be that difficult for o2 to stop their own systems being used to monetise the proceeds of fraud?

John,
you are so right. I emailed CRC many days ago, per their post on this thread. I have heard nothing back.

So… I have just ordered 2 new tyres from those nice chaps in Portsmouth. I paid a tad more, but security’s worth a few pennies.

do you think it is a small number of people who are purchasing things with everyones CC’s or do you think it would be a large scale operation?

I would have though there is the ability to trace all of these in this day and age of modern whiz bang technology?

A few members of another forum (Swedish, so I guess no point in linking) have reported problems using Paypal too. There were attempts to use their accounts at other online retailers after purchasing from CRC. Don’t know how much truth there is to it though, just that I won’t be touching CRC for quite some time.

My card got scammed about a month ago (those small fishing transactions, luckily Nationwide picked up on it). Reading this thread i’m thinking it must have been due to CRC – i barely use my card anywhere else online. Absolute swines. I won’t be shopping there again.

Warpcow – the way you pay with pp means you never actually show your pw to the retailer. You enter your pp pw into paypal itself even if you’ve got there via a shop. For pp to be compromised via crc it’d have to be a completely different method of fraud.

I understood that (it’s my preferred method of payment in other stores), but figured it might be worth noting even if it seems unlikely. I guess it might be users having the same password for their CRC and paypal accounts.

Bought at CRC with my debit card on the 8th; had a £20 O2 prepay voucher purchased on my card this morning.

Yep but again, you really are asking for it if you do that…

Is that directed at me?

Aimed at my comment I think 😉

The “Delete Previously used Debit / Credit Cards” on CRC has gone.
If I log on I cannot find it – maybe it’s me, but last time I looked I found a message that “no card info is currently held”. So something is being done their end.
Out of 6 riders today – one had been hit, he had no idea of the link. Bank phoned up and said his card was one of many they were cancelling as a precaution.

Yes, aimed at warpcow 🙂

I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning, fortunately it was declined. They even went to the extend of changing the password on the RBS Secure (an extra level of security for online purchases). I was only notified by an e-mail thanking me for changing my password. There will be several phone calls to several customer service departments demanding to know what the hell is going on.

I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning

It was Chain Reaction Cycles that was the source of the attempted charge?

That’s exactly what happened to me,only with TSB’s Clicksafe system. To be fair , my money was paid back within 3 hours of contacting their fraud dept.

The way CRC are handling it is almost a case study in how to not manage a problem.

well I’m impressed that they haven’t taken the Wiggle approach (we remember that one?) where all posts talking about the problem were removed with the threat of legal action (although I’ll not be too surprised if this thread doesn’t go missing at some point soon)

I ordered online with CRC last Sunday, today they tried to hit my card for £699 this morning,

Sorry I worded that badly, I should of said

“I ordered online with CRC last Sunday, this morning some scammer tried to hit my card for £699”

I had started to calm down after this morning, but having been made aware of this thread and then reading it, I am now fuming again.

Tim

Especially as it appears they must sponsor STW a fair bit with the ammount of ads currently on here.

Still cant undertand why they havent made an official announcement, I would hope they do tomorrow with it being Monday and a working day, its not even that they dont know this post exists!

Plus think how many use CRC who dont even use STW and are getting card swiped.

I wonder why the scammers think they could get away for using others CC, surely whatever they pay for needs to be delivered to an address and that should be a dead give away location … 🙄 The rest just leave it to the police but yes the cost of arresting is expensive.

🙄

Just got the same issue.

Bought something from CRC a week ago. Tried ro pay by Paypal but there was an error inthe transaction between CRC anPaypal so paid on debit card. Just checked account today and got a £30 O2 Prepay debit on my account:-(

chewkw,i know a bike shop owner that got robbed of a 3k bike.the courier delivered it,signed for (with a scribble) and that was the end of it.Someone got a bike for free after calling up their bank and telling them that someone had just bought a mountain bike using their card.. then got it refunded.

you could easily sit outside someones busy street address in a car and pop out when you see a delivery driver.you could sit there all morning waiting for an expensive bike and pretend to be the occupant.

Buy online securely with confidence on this site

🙄

surely whatever they pay for needs to be delivered to an address and that should be a dead give away location

It seems to be mostly mobile telephone prepay vouchers that are being purchased. For all intents and purposes, they are untraceable.

Before the pitchforks come out, it’s worth noting that the O2 Prepay fraud goes way, way beyond a bunch of riders who think they’ve found the common denominator. A web search (link) brings up incidents going back over the last few years. O2 even recognise the issue as far back as 2008 (link). One post I found on moneysavingexpert.com makes this point:

So many people are so quick to accuse companies, banks, or websites, for allowing their card details to be passed to fraudsters.

This is, in general, not the way it works. Large sites (e.g. Paypal) do their own payment processing, and smaller sites subcontract this out to someone like Worldpay. All these organisations have to be so very careful with our card details, as the amount of fines and worldwide reputational damage would be crippling to their business. I do not believe that these companies have anything to do with these fraud cases.

All these cases of PAYG mobile top-up fraud happen online. That indicates that a ‘clone’ of the card doesn’t exist. So the fraud probably doesn’t originate from an ATM, because a device on the ATM, along with ‘shoulder-surfing’, would enable the fraudster to create a clone, and this, along with your PIN, could be used for ATM withdrawals.

Instead, all that they have is your 16 digit card number, your three digit security code, and your expiry date. With a powerful enough computer, they can just create millions of different possibilities. Each of these is used for a small ‘authorisation’ transaction, typically for about 1p. (This normally doesn’t show up on your statement, but you may notice your available balance decrease by this amount for a few days where one of these has occured.) After they get a successful one, they’ll put through a ‘real’ transaction, for a low value. This is where you see the mobile top-up or cinema ticket.

There is nothing that we can do to stop this at the present time (without advances in technology), apart from being vigilant ourselves (so that we notice the transactions quickly and can stop our cards) and hoping that the banks do the same (e.g. Halifax phoned me to warn me as soon as my card number was used fraudulently; I think Egg do the same). And don’t try to shift the blame onto random websites/ATMs that you’ve used recently, chances are, they don’t deserve it. (Although there will always be the odd exception, I appreciate that!)

There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it’s what all of the victims on STW have in common; and it’s human nature to try and observe a pattern or common thread.

Three_Fish – Member
There is the possibility that scammers are just going into overdrive at the moment and CRC are getting blamed because it’s what all of the victims on STW have in common

IN which case there would be a similar proportion of non-CRC users also being hit. But I’m not aware anyone has yet posted along those line?

IN which case there would be a similar proportion of non-CRC users also being hit. But I’m not aware anyone has yet posted along those line?

We aren’t exactly dealing with scientifically collected sample data, though; are we? The point is that this problem has been around for years and there is no particularly compelling evidence to suggest that CRC are in any way responsible or negligent. I’m not saying for a minute that what is being discussed in this thread is definitely not an example of a particular company’s (CRC) security weakness; but it could be just as likely that they are completely unconnected.

Perhaps we’ll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.