CRC security issues?

Three_Fish – Member
Perhaps we’ll hear from them once business hours resume tomorrow. Virtually all of the bicycle-related forums are discussing the subject and CRC will have to demonstrate some kind of response sooner or later.

It’s at least a week since this was reported. Why would another day make a difference?

It’s at least a week since this was reported. Why would another day make a difference?

I don’t know – maybe they didn’t think that it would reach the intensity that it has in the last few days. That, however, and like pretty much all of this thread, is nothing more than conjecture.

So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don’t count for anything then?
You did read all 11 pages before commenting I presume?

Same problems here.

28/02/11 Ordered from CRC, paid by card.
01/03/11 Items dispatched.
02/03/11 Items arrived.
03/03/11 Card charged by CRC.
07/03/11 Card fraudulently charged with 2*£15 O2 Prepay.
08/03/11 Checked online bank statement, noticed discrepancy, notified bank (Barclays), had card stopped and amount refunded immediately.
10/03/11 Received new card.

Ordered on personal PC running Linux, using Chrome browser.

I wasn’t aware of the potential CRC link until Mr Fluffykittens told me about this thread a few days ago.

All a bit of a pita, and what’s worse is that it was new shoes that I’d ordered and I’ve been too ill to use them 🙁

meh.

Fair enough about the recent comments on here from CRC, to me it does seem that CRC are waiting for people to notice a problem and then happen upon an internet forum to realise the cause rather than proactivly contacting customers to say there might be a problem.

It wouldn’t surprise me if there are quite a few CRC customers who have been hit, but dont realise as they have no way of knowing, and who dont frequent the forums to find out. Surprising as it might seem 😀

It pretty clear that they have lost card data at point of receipt prior to encryption as it goes through their e-commerce system. Either through internal or external fraud. They MUST also by now have an idea of the data range of which customers are affected.

How difficult is it for them to punt out an email to all recent customers saying “sorry guys there has been a problem”. Its not like they have a problem emailing customers is it?

Whether its a weekend is irrelevant IMO as they have een taking money of people all weekend. For a company their size its poor treatment of their customers and I guess a commercial disaster. Three fish has it about right what they should be doing.

So the comments from Crc management saying they are investigating and asking affected people to contact them earlier in the thead don’t count for anything then?

Of course they’re investigating, and it’s obvious that they’ll also be considering the possibility that the problem is directly related to them.

How difficult is it for them to punt out an email to all recent customers saying “sorry guys there has been a problem”.

It could be extremely difficult, I’d imagine, from both a legal and commercial point of view. Nobody here actually knows the percentage of CRC’s customers that have been affected, so if it is, for example, two to three percent, it would be foolish of them to contact all of their (potential) customers and tell them that their system is not, or may not, be secure. If what they have now is a commercial disaster, an admission of responsibility could be many, many times worse. I’m not sure how a public admission, or even suggestion, from them would affect their position in terms of liability.

i read about this on the website road cc forum.
i cant see it anywhere else, bikebiz or cycling news?

http://road.cc/content/forum/32203-chain-reaction-cycles-credit-card-fraud

Just been on to the bank – £1200 to johnlewis and another £600 to an online site from yesterday. My last order to CRC was on June last year so unsure if it’s related or not. The guy I spoke to did say “there has been a lot of suspicious activity recently”.

Ordered on CRC last week, got a phone call from the bank yesterday saying that a payment of £15 for an O2 top up had been declined.

Card cancelled.

Ordering from CRC in the future definately cancelled

From reading in a Finnish biking forum I find it hardly unlikely that this would not be directly related to CRC. There is a load of Finnish customers who have not used their card for any other online services then CRC, and they have been contacted by their banks within the last few days regarding closing the card for security reasons.

Actually, dispite all this I will still be using CRC (just have today).

I use Paypal and I dont see any online shop being more or less safer than CRC is. Didnt Wiggle have an issue some time ago ?

They may never find out what happend or how, but in the meantime the CC purchases that were illegal have / will have been refunded. So hopefully people will only have lost some time and not money.

I phoned Barclaycard earlier to cancel my card, they asked why so I told them about CRC etc and immediately the bloke in Bombay starts trying to sell me Identity Theft / Fraud Insurance, a bargain at £80/year! 😯

I told him I’d just like to cancel my card, get a new one. Had to sit through another few minutes of sales spiel, then I finally interrupted and asked him if he’d cancelled my card. “Oh, why do you want to do that?”

AARRRRRGGGHHHH!
It’d be simpler just to let the bloody fraudsters have it!

Seems to be sorted now and apparently my new card is in the post. No doubt with a whole load of sales crap attached to it.

I hate Barclaycard – haven’t used them for 10 years !

Just been stung myself, on a card I’ve not used for anything for a while… Bank asked “Can you think of any way that someone could have got hold of the card details?” so I said “Well, there’s a rumour going round about one of the online bike shops”. “Yup, that’ll be it, I’ll pass your details on to the team dealing with the Chain Reaction issue” who then said “Have you got any other cards that you’ve used with Chain Reaction? OK, we’ll cancel them too”. So CRC might not consider it proven but the professionals seem to.

For those of you that have been in touch with CRC, did you get any response? I emailed but have heard nothing back. Almost a week without any credit or debit cards, a real pita having to trek to the bank any time i need money. 😡

Just spotted this thread, I got done too. Ordered stuff from CRC on 2nd March, and card was used twice last week fraudulently at John Lewis and Stagecoach. Luckily the CC company were on the ball and alerted me straight away and stopped the card.

Quite worrying though, and seeing as this seems to be a known issue which has affected a lot of people I find the lack of contact/notification from CRC extremely disturbing. I won’t be using them again any time soon.

New chain ordered through chain reaction in January few days later card was cancelled due to someone trying to top up there phone card with my details.

Last week Helly Hansen base ordered through chain reaction, yesterday my new card was cancelled again.

I run windows 7 with chrome and mcafee.

No response from CRC either… Bit of a pee take!

Barstewards just got me – order placed last night, fraud dept call this afternoon. Vodafone top ups and £350 of online menswear.

This is clearly more than a coincidence – CRC need to do something to sort this out.

Took a call today from “Al” of CRC to VM at about midday, then again at about 13:30. Friendly and helpful. Advised that CRC is using an independent company to investigate. Didn’t admit to it being a CRC problem (from a legal prejudice point of view, I understand this). Has offered to keep me informed and flagged my account accordingly. Advised that they strongly believe, there have been no hacks involving Paypal transactions (did not guarantee, but see my above comment ref legal prejudice and all that). He mentioned that some postings on forums (fora?) allude to compromised Paypal transactions but that those they have been able to investigate have been erroneous. (Que to post for anyone who knows different…)

Apologies were offered for the problem and the delayed response.

Finally, he mentioned that staff were tasked to get in touch from Friday and they are working through the backlog.

All in all a very satisfactory call. My faith is now partially restored. Full restoration is on hold pending the ultimate explanations received and action taken.

Let’s not forget that if this is a CRC issue (which seems likely, but is not proven), then CRC is a victim of crime as much as we are. Let’s not punish them for that. If their response proves to be inadequate though: now that is a different matter. Time for CRC to step up to the mark, I think…

PayPal uses unique one-time tokens for a transaction.

No token can be re-used again, to authorise a payment. Can only be used in regards to refunds of the transaction.

At no time does CRC ever know the CC details on the PayPal account.

When you type in your CC direct to CRC…. thats another matter.

Rats!
I got hit too, thankfully I finally decided to read this post and check my account.

They got me too.

Ordered something from CRC for the first time in at least a year and a couple of days later my card was declined due to fraud. After talking to the bank there were 3 attempted transactions that weren’t mine; a garden centre, a hardware store and something else.

I had to buy something on CRC today even though my card details were stolen a few days ago. CRC assured me that the problem was over and no one has had any problems since the 8th.

Is this true? Very helpful on the phone by the way.

Its a shame about there piss poor returns dept. XT 10speed cassette need to be sent back for a week / 2 and it ‘might’ be replaced. Unfortunately I have a race in the weekend so have had to buy a new one. 🙁

I emailed CRC on Saturday and I received a phone call from them today. Very understanding and helpful, they assured me that they are investigating. Also offered to keep me informed and flagged my account.

Crikey … 😯

I’ve had two cards compromised in the last week, both of which have been used for CRC in the space of the last month. I can think of other common purchasers for both, but in light of the length of this thread I thought I’d add my twopenny worth.

Jansey look at ilkelypeter’s post ordered last night done today, I’d say the problems ongoing.

Shock horror, my wife (none cyclist) has reminded me of the time her account was compromised after shopping in TK Maxx. Dam that CRC.

Had the same at the weekend, phone call from the bank to say over £1000 had been spent at John Lewis and they tried to take another £450 but the bank stopped that one. Card now cancelled and waiting for a refund, had ordered from crc last week, definatly using paypal from now on

I phoned them up today to advise them my card has been cancelled as I have stuff on back order and returned, I got put through to a women called Linda and asked her what the situation is, I got the same response as Mudglutten got, they are aware of the problem, they have an independent security company investigating the problem and they will be contacting customers. They are aware of the posts on this forums and other forums.

There are a set of standards that retailers have to comply with otherwise the banks refuse card transactions from them. These standards are refered to as PCI (Payment card industry) Security Standards. Retailers have to appoint an Accreditor who makes a lot of money reviews the retailers security and passes them as compliant

Depends on the volume of business. You can effectively self-certify up to a level of transactions and wouldn’t need to get outside people in to audit that you haven’t got unencrypted card details stored. Of course, all you need is a developer who turns on some sort of debug logging and hey-presto, they can skim everything from the system. Not saying that happened here, but it has elsewhere.

xiphon – Member
PayPal uses unique one-time tokens for a transaction

Mostly true. There are ways to do repeat billing transactions with PP but they’d show up as CRC doing another transaction so it wouldn’t be a random punter (even assuming PP cleared CRC for reference transactions). So yeah, another person who deals with payment systems 😉

Luckily the last time I bought from CRC was 2007.

Got home today to a letter from Egg telling me my existing card was being canceled as of tomorrow. I have bought recently from CRC but last time was via Paypal. Seems they are being ultra-careful, but I am annoyed that I am now put in the position of having other orders for stuff put at risk through as my card won’t work.

This has happened to me today, HSBC phoned me advising that £20 has been used to top up a phone.

Used CRC last week so ties in with CRC’s securitys issues.

brother in law ordered new rim last week, got call yesterday to be told £650 had go from his account etc etc , glad I told him about this thread on saturday!!

I started the thread “No CRC Security issues” asking everyone who had used CRC recently but had had no fraud on their card to post.

I have now had some fraud on my card.

3 March Card charged by CRC
14 March £1 fraudulent payment to britishredcross – approved
14 March £134.95 fraudulent payment to Carphone Warehouse – attempted twice and declined.

Have used the card for 4 other online payments in the last month as well as for supermarkets, fuel stations, car insurance renewal and Halfords.

been checking my account since this broke and looks like 2 transactions for £15 have been taken. will speak tpo bank tomorrow.

Two questions –

How did the bank know the attempted Carphone Warehouse transaction was fraudulent?

How do the fraudsters use the credit card details? Do they have to make a fake card? Is there enough information from just the details you fill in online to do this?

As others have said remember that CRC are the biggest vicitms here – they must be losing significant sales, and it may not be their fault at all.

They got me too! Ordered a number of things from CRC last week and and recieved a call from the bank at the weekend.

Who ever is doing this is never going to run out of credit on their T-mobile account!!

I think an email to CRC is in order.

How did the bank know the attempted Carphone Warehouse transaction was fraudulent?

They get picked up by systems looking for certain types of behaviour i.e. small initial ‘tester’ payments followed by substantial ones not to the card holders address