CRC security issues?

I’ve posted on this thread twice explaining / ranting about this but I believe there’s something significant about the way it happened to me.

I initiated the card transaction by email. It was a refund that I had requested from an order that was never delivered.
That to me rules out any Keylogger / Trojan concerns.

If someone had intercepted my details a month previous to my refund, why would you wait till after the refund was issued ? It must be pointed out that no other purchases were made in the meantime.

I use Bluepoint A/V btw, which Is only one of a handful of A/V programs that picked up the banking Trojans.

If my card details were held on file for a month, where could they be accessed at ?

How are the refunds performed? Does CRC do the refund transaction onsite or is it done by a third party off site ie an ecommerce company.

I have no idea I’m just a raggy arsed engineer & biker but it would be interesting to know.

and just got me as well. Not O2 this time (it’s a EUR card) but rather two tops ups in spain and then a couple of hundred EUR on something else.

fluffykittens – Member

Card fraudulently charged with 2*£15 O2 Prepay.

I had identical charges against my card last month but had no recent CRC purchases. Mind you, I always use Paypal for those.

My bank’s fraud dept told me it was commonplace right now with gangs often storing card details over a 3-6 month period then using them all in a one off shopping spree.

Got me too. Train tickets in spain 🙁

I wonder if the plods involved it might explain the surprising lack of meaningful information from the marketing machine that is CRC.

It was a refund that I had requested from an order that was never delivered.

That’s interesting. I have something from my order that was purchased on a card that was scammed and has now been stopped and replaced, I contacted CRC about how they would refund my payment as the card has been stopped and this was in the email I got back:

‘We would ask you to update your card details in your CRC online account.
Once we have the new details we will be able to process the refund as soon as we process your return.’

Mmm, not sure I want to do that at the moment thanks! 😯

I did ask if they could paypal me the refund but they didn’t answer that, but I might insist.

can I just say – having just read the first 2 posts of this thread – I had 2 £30 charges for 02 prepay too.

Thank you and good night.

We would ask you to update your card details in your CRC online account.

I didn’t think that CRC held any details other than the billing address; hence one always has to input card number/expiry at the point of order. There is no facility that I can see for storing/updating card account details on CRC.

There is no facility that I can see for storing/updating card account details on CRC

Yeah, I can’t see anything either, I’m sure there used to be? I think someone else posted that the ‘remove card details’ option was no longer there, when my card got scammed it was one of the first things I did but when I clicked on it it stated no card details held, think I’ll email CRC back and see what they have to say?

Never send credit card details by email. It is not secure. It is like writing them on a postcard and posting it.

Nobody can dispute CRC are potential losers here. But the decent thing would have been for them to have fessed up and emailed all their recent customers days ago. And put a notice and apology on their home page.

Yeah, I can’t see anything either, I’m sure there used to be?

Not that it means a great deal, but I can’t remember CRC ever storing card details (other than a billing address). I have a vague memory of an explanation somewhere that not storing card details was a part of their online purchasing security. Cards are verified at the point of purchase and have been for as long as I’ve used CRC, which will be four or five years.

Maybe they don’t store any details online or in online account information, but I’m just curious now as to how they can make refunds then, I’m guessing they must have something stored somewhere? How do they refund to my account without the card details I piad with? (unfortunately this is the first time I’ve returned something as it’s the wrong size) ❓

They should just be able to refund to the bank with the transaction ID that came from the purchase.

Never send credit card details by email. It is not secure. It is like writing them on a postcard and posting it.

Sorry I should have been clearer, I asked them by email to refund me quoting my name and order number. I never sent my card details by email, that’s just asking for trouble !

kamina – Member
They should just be able to refund to the bank with the transaction ID that came from the purchase.

Yep. Most merchants can do a full or partial refund using the transaction id from when you purchased. Given there’s no repeat billing at CRC, it’d be hard to argue that they need to retain card details.

and another one….

7 days after using card

sent this thread round my bike mates, one of them had their card scammed too just after using CRC. Seems to much of a coincidence really.

I used Merlin yesterday for an order that I would have placed with CRC before the current situation occurred. First class service from Merlin – order placed at 1pm yesterday, delivered to me at 10am this morning.

just got me 🙁

new credit card account, only just got my first statement, a few different transactions obviously but a limited number of possible causes of the fraud. Used CRC last week, they were my last correct transaction, then a fraudulent vodaphone top up saturday and more fruadulent apple i-tunes stuff yesterday….halfiax card services picked it up and called me today. Well done to them, I’m impressed they picked it up seeing as my account is only a month old so they have very little ‘history’ of my spoending habits.

Dunno if it matters my my crc order was only part shipped (item out of stock), the remaining item has now been billed (I assume it’s on it’s way) that was the last ‘correct’ transaction….so they must have held my card details to bill me in two parts.

I ordered some stuff from Chain Reaction last week and I’ve just missed a call from the credit card fraud people and my card appears to be suspended 😯

Just had a call from the fraud dept of my bank… no dodgy transactions but they said a whole range of card numbers is at risk of fraud including mine and they’re going to replace it. Last CRC order was 11th Feb.

I just had the call too. Someone topped up an O2 payg phone. I’ve not read the whole thread but I guess that’s easy enough from nicking the payment details and card address off an online shop like CRC. Last order was about three weeks ago. New card it is then…

Me too!

RBS secure detected fraud on my card on Saturday morning when someone attempted 2 x £15 O2 top-ups.

Only had credit card fraud issues once before, many years ago.

Previous correct transaction was CRC a couple of days ago!

In my line of work (medicine) we have a saying: “if it looks like a duck and quacks like a duck, its a duck”. I’m convinced it’s CRC and will be telling the card issuer ASAP.

CRC won’t be seeing any more business from me.

Another one here, and a work colleague was also done.

I’d love to know how they are doing this. My mate got done but the O2 transaction was done in the same minute as his CRC transaction (according to his statement)!

I’ve just had my card stopped, they had flagged the O2 transactions at the bank and put them on hold but the same details had then been used to try a smaller charge overseas.

Its an absolute joke that CRC haven’t warned people properly about this.

Have just ‘phoned RBS secure. The chap I spoke to virtually finished my sentence off for me. He went on to say that they know it’s CRC and have been watching them for a couple of weeks.

Any one on here work for CRC? You’re going to need to give out some mighty generous vouchers to rescue this PR disaster.

(Anyway, I’ve found somewhere much cheaper for a lot of stuff: H&S bike discount in Germany. Have just ordered an Ultegra groupset, let’s hope it turns up ok. They had UN54 BBs for 9 euros!)

It is more than clear in a week and 13 pages that there is fair amount of people falling victim to this scam and not just a ‘small percentage’ as we have been led to believe. It’s also clear the banks are more than hot on CRC’s case and CRC are simply failing their customers to open up and give us some facts.

I last brought from CRC in mid/late Jan. So far I have not been targeted but am I safe? I for one, and I’m sure there are many other out there, would like to know:

What has been stolen/leeched?
How long has it been going on for?
How long have they known?
How many customers could have been effected?
Are they going to inform their customers rather than wait for the customer to find out themselves (email, tel website)?
Are they still taking CC payments knowing they could be putting customer details at risk?

Now don’t get me wrong, they are of course victims of crime themselves and I feel for them and I suspect there are a few people loosing more than just their hair over this.

Obviously they are pursuing an investigation but they are not some ‘corner bike shop’. They are one of, if not the biggest online cycle retailer. Perhaps because of their size and reputation they are keeping mum about this but all in all the decent thing to do would be to be more vocal and keep their customers informed a lot more often or is that too much to ask?

They might find they will gain a lot more sympathy and perhaps, just perhaps, regain a bit of that lost trust.

This year, I shall mostly be shopping at Merlin 🙂

elliott-20 – Member
Obviously they are pursuing an investigation but they are not some ‘corner bike shop’. They are one of, if not the biggest online cycle retailer. Perhaps because of their size and reputation they are keeping mum about this but all in all the decent thing to do would be to be more vocal and keep their customers informed a lot more often or is that too much to ask?

If one of the other threads can be believed, they are turning over almost £2.5M per week – and a profit of 10% of that. Do you really expect them to turn off that tap while they resolve the situation?

Got a phone call from my bank tonight about suspicous activity on my account. Ordered something from crc sunday, hey presto some twunt tried it on, luckily bank was on the ball.

druidh – Member
If one of the other threads can be believed, they are turning over almost £2.5M per week – and a profit of 10% of that. Do you really expect them to turn off that tap while they resolve the situation?

So, according to those figures, in the past 2 weeks they’ve stood to make £500k profit. PROFIT! Man up, take a hit and get it fixed! but as I’ve already replied in a previous post they could easily channel payment through other gateways if the profit is that important. Besides, what is the issue with that when…

wors – Member
Got a phone call from my bank tonight about suspicous activity on my account. Ordered something from crc sunday, hey presto some twunt tried it on, luckily bank was on the ball.

…the scam is clearly still going on ^

I was hit for over 2k in the end as mentioned earlier in the thread. I have a couple of vouchers I want to use so that I can finish things with CRC. Prob is even though the total to pay is £0 you still have to put in card details! Attempting to use Paypal as the checkout also fails presumably as £0 so I will have to add to the order.

I presume using Paypal is still ok as it forwards to that site where you enter your credentials so no danger of CRC getting them as well?

cheers

Hadn’t seen this thread, but I too used the 10 quid voucher for some bit’s n bobs. Then 1 week later I get stung for a fraudulent purchase of 303€ with some on-line flight company in Barcelona. Thankfully I get an SMS for anything over a certain amount so I was straight on to the bank.

Similar story, last use before was with CRC. Now I have to wait for another new card. Only had this one for about 3 weeks after the last was swallowed by a hungry ATM.

My Visa got cloned late Feb, saw this thread and checked the account, used CRC 48 hours prior to the fraudulent transactions starting. Probably no coincidence?

Just spoken to my credit card company, someone spent £200 of my money on Tesco.com this morning. It’s an absolute f@cking joke that ChainReaction haven’t mentioned anything, the silence from them is deafening.

It’s outrageous that they’re still trading with no mention of it when there is clearly a leak in their system. They’ve got some serious making up to do or I’ll be closing my account.

Just hope CRC will reward everyone for their co-operation after so much hassle.

Oh ya if they cannot catch the scammer(s) then they fail big time.

druidh – Member

….they are turning over almost £2.5M per week – and a profit of 10% of that. Do you really expect them to turn off that tap while they resolve the situation?

Sorry, but yes. Definitively yes. If I knew that my online payments were being regularly and massively comprimised, I’d inform each and every client and keep them updated on the situation.

The very second your clients lose faith in your ability to operate in a transparent and honest fashion, your clients will go elsewhere – as has been evidenced in many of the posts above.

I cannot fathom why any business, gargantuan or tiny would choose to hang a “Business as Usual” sign over a disaster like this.

This is getting very serious, too many people on here now for it to be a coincidence. The worst thing is the lack of an official statement from CRC, mistakes happen but it’s how you deal with them that sets you apart. Burying their head in the sand is not the answer.