CRC security issues?

Another victim here, back from holiday to find a lovely delivery from crc but also 2 payments made to O2.

WackoAK, CRC have actually posted up on this thread, so they have replied. They have also spoken to some people who rang/emailed. I dont see what else they could reasonably do – unless you want them to pop over and say sorry in person. I dont think they did it on purpose, they are the victims of some sort of theft. It can / will happen to any website.

Not all of their customers have suffered, sure quite a few have, but they will be refunded by their CC companys in due course.

Perhaps a comment on their web page would make some feel better, but it wont actually do anything. A lot of customers will not have been affected and wont get the comment if its posted. Until they have found the reason for the problem there is not much anyone can do.

Or am I missing something ? What would you suggest ?

In the meantime people can suffer the complete misery of placing a free call to request a replacement CC. Shocking I know, but you will live.

It will have the knock-on effect of highlighting the ease at which this sort of crime can take place – that may make people look at their CC statments more often or tighten up website security. All good things in the long run.

In the meantime you will most likely be refunded. Im not defending them, just commenting that I dont think they have entirely buried their head in the sand. Im sure any company that sucessfull will be busy trying to sort it internally.

What would you suggest

An email to every recent customer making them aware of the risk and asking them to check their statements would be a good start.

Not every customer reads forums or will be lucky enough that their bank will pick up dodgy transactions.

Trimix – a post on their website would be a start. Not everyone who shops there will have read this thread and the post on here is vague at best.

In the meantime people can suffer the complete misery of placing a free call to request a replacement CC. Shocking I know, but you will live.

Try a 30 min call as it was me who spotted the fraud, not my bank. I then had get get my overdraft increased as they had wiped my account and until I get a new card I will have to vist the bank in person to get money. Not really a big deal but still a pain.

Just a me too.

Got a call from the CC company to say they’d blocked a transaction trying to buy a £15 O2 top-up. I used the card to buy from CRC around the time of the last £10 voucher email.

No idea if CRC has been compromised (looks that way), but I’m definitely wary of buying anything from them.

In the meantime people can suffer the complete misery of placing a free call to request a replacement CC. Shocking I know, but you will live.

Natwest one is 20p/min.
e: I was on the phone for over ten minutes, so going by the amount I saved on my last purchase from CRC I may as well have bought from elsewhere. Only used them for the convenience and pretty much guaranteed next day delivery.

Trimix I’m pretty amazed at your comments, over £200 gone out my account but it’s ok because I’ll “probably be refunded”. It’s an unbelievable breach of security for such a large company and they CLEARLY should have emailed every single recent customer explaining that there has been a breach and to check your statements.

What about people who’ve paid by debit card? They won’t be refunded. What about the people who have lost money but not realised? You don’t think that ChainReaction have a duty to make them aware?

In the meantime people can suffer the complete misery of placing a free call to request a replacement CC. Shocking I know, but you will live.

Or suffer the humiliation of just having tanked up a car only to find they actually have no way to pay.

PS At least petrol went down 0.02 here today (and I need a tankful).

In the meantime people can suffer the complete misery of placing a free call to request a replacement CC. Shocking I know, but you will live.

There’s one guy on this thread who has had his card cancelled the day before he flies off to the States on holiday for 6 weeks
Trying to hire cars/bikes/pay for motels etc. is going to be a bundle of fun for him

oh, how he’ll laugh

Just last night I discovered some fraudulous purchase with my credit card: Only a small amount of € 8,90 for “SNCF internet”.

I directly called my credit card company ING to have my card blocked. The guy I spoke to, told me that there had been more purchases in the last hours of several hundreds of Euro’s.

Guess what? I have been shopping with CRC February 25. Irony was that I had received the voucher while processing my order. CRC was so kind to refund me the 10 pounds anyway, when I explained so. It was my first purchase with CRC and I was very happy with their fast delivery to the Netherlands and swift respond of their customer support.

I have to admit that I’ve been purchasing on the net a lot last weeks, also with Evans Cycles, Melitta, and Rose Versand, so I cannot be sure if CRC is the weakest link. First I suspected Evans because I had been so stupid to send them my credit card data through e-mail for some refunding, but after talking to them they pointed out to this thread.

I only use my credit card for online purchases and paying hotel rooms (mainly for business). I never use them at shops, gas stations etc..

The hassle isn’t in the phone call to have your card replaced, its in being without a card for 8-10 working days. I can’t even transfer money into another account without my debit card and it will take a couple of hours to go down to the branch and sort it out.

Of course people are commenting on their web page, why shouldn’t they?! CRC are an internet-based business, they are quite happy to push social networking for advertising purposes, now they are finding out that its a 2 way street. Its up to them to communicate better with heir customers, acknowledge their mistakes, and make some effort to keep custom of the people affected.

All good points – franksinatra, your suggestion is a good one. Im not sticking up for them, just wondering what they could really do.

stuboy2uk – I thought the bank would refund Debit Card fraud ??

The only time I had to call the bank about fraud took five mins to stop and reissue a card. Not good if your experience is otherwise.

Perhaps CRC are weighing up the balance of an email to everyone vs the bad publicity. But threads like this will grow bad publicity anyway.

Hopefully they will have been workikng on the issue and can come back with a report that will satisfy most of us.

Just been called by MBNA – I put a big transaction through yesterday with Torq (legitimate), and they blocked it and gave me a call. Card is being cancelled and replaced even though I’ve not had any fraudulent attempts, because they’ve been informed by Visa that the card has been used in the past six months at a retailer that may have been compromised.

Card is being cancelled…because they’ve been informed by Visa that the card has been used in the past six months at a retailer that may have been compromised.

I’ve been waiting for that to happen. It could get even messier now…

I just popped into my branch and got my card stopped and a new one ordered. I was getting very bored of checking my account a few times a day!

I think they can forget about making it 11 years in a row

I’m almost reluctant to post this for fear of being accused of some kind of bias, when in fact I’m trying my hardest to be totally objective. I’ve spoken to CRC and they are currently deep in an investigation that involves an outside agency (that they have asked to investigate) I’m making no judgement on CRC at all either for or against but a bit of googling has revealed a few issues that are maybe worth us having a look at, even if at the end of the day the weight of available evidence is not altered.

So I offer this link (which is just a single source) for consideration.

http://www.bl0g.co.uk/o2-uk-ltd-prepay-slough-mobile-phone-scam.html

This next link at least backs up the ‘lax security’ issue aimed at O2

http://www.pardoe.net/cellnet/precis.htm

While that precis is quite ancient, this page of the same site was updated a few days ago..

http://www.pardoe.net/cellnet/index.html

Mark – you’re right, the O2 top-up scam is a way of testing the validity of generated card numbers, but also a way of testing the validity of stolen card details.

The fact that CRC have an outside agency investigating, combined with people reporting that their banks are volunteering the information that there are “issues” with CRC, does suggest that we’re not seeing randomly generated numbers being used here.

So yes, you’re also right, you are ‘in danger’ of being accused of bias, but I think you’ve covered yourself well enough 😉

That’s all very well but the fraud against my card did not involve payments to O2…

No problem so far. But I cancelled my debit card as a precaution.

makes interesting reading Mark.

So as a method of proof that CRC are statistcally less likely to be the soruce than spoof card generator, can we invite anyone who has used CRC in the last 4 weeks and NOT had their card compromised, put their hands up?

This happened a few years back with Wiggle. A load of people on here got done as well as myself. They were flights to Barcelona and O2 top ups too.

So then, who’s had 02 (or the others mentioned) fraud recently and not used CRC for a while? If this is nothing to do with CRC then there should be plenty.

I don’t buy Marks explanation because if this is an issue of randomly generated card numbers, to affect this amount of cyclists would extrapolate to a national debit card crisis.

Unless anyone clever than me can suggest how Marks links could cause group self selection of cyclists.

I am not a customer of Chain Reaction any more because they haven’t contacted customers who may be affected. They may have rang me after I emailed a complaint, but I needed them to be more pro-active to retain my custom. I didn’t expect them to put a banner on their website, that would of been commercial suicide. My expectation is that they must be aware of the time-frame of at risk orders, and should have contacted all potential victims. I can understand why they haven’t, but I don’t care about their self-interest.

My new credit card has only ever been used at CRC, yesterday someone spent over £200 at tesco.com on it, it’s definitely a CRC security breach, no doubt about it.

No phone top-up’s on my card before it got fleeced.

I’ve just had a call from my bank confirming that the order I made with CRC at the begining of March was legitimate, so they’re obviously checking for something!

Nothing else on my statement looks funny so perhaps just a routine check.

No phone top-up’s on my card before it got fleeced.

Interesting implication that there are stolen card number users out there that test their numbers first and others that dont. Or those that dont are familiar with the original provenance of the numbers.

Not entirely convinced by the randomly generated numbers… at least not now. Do o2, vodafone, orange, (etc.) still really allow topup purchases with only CC no. and not CVC2, Name as on card, expiry?

Bought on 27/2 from CRC, got a calling card from DP/DHL yesterday (which may or may not be the CRC parcel), checked CC online thingy and everything now adds up. Maybe there were some test authorisations that hadn’t been bundled up and gone thru as purchases? Keeping an eye on it for expected purchase to go thru, then will call bank anyway.

It just seems that the more I look the more I find websites out there that are reporting the same issues. Many have petrol stations as the possible culprits.. This sounds about right as using a petrol station is one of the many common denominators of the general public. Of course, some people don;t use petrol stations at all and have still suffered the fraud. But then it is clear from a bit of looking around the web that many have not used CRC but have still been scammed. On here, there are many who HAVE used CRC and been scammed. But I wonder if we add our numbers on this site to those many thousand of other victims out there whether the CRC link would still statistically hold up? I don’t know. I’m posing a reasonable question.

Of course if the scammers are using what they know to be genuine card details then they MUST have been gained from some non-random source and an online retailer would be a likely source, as could petrol stations or any other countless sources. But if… and I’m just postulating… these scammers are using the clearly very lax security operated by the O2 Prepay system to test an endless stream of randomly generated card numbers, then it is possible that these transactions have no retail source at all.

Now, consider if that were the case for a moment. How would that look say to a community of mountain bikers? A significant group of them would have been victims of this randomly generated card scam, especially if the community were large enough. If then those victims looked for some commonality between themselves in order to quite rightly attempt to trace a source, what possible common denominators could they come up with?

The most likely source common to all of them would statistically be a retailer that is huge and serves pretty much exclusively that very community. Other possible common denominators would be other retailers like petrol stations… or supermarkets. But any community that seems to share in a particular fraud is quite naturally going to look at sources that serve that community almost exclusively first of all.

Of course, they may well be correct.

So, what is my point?

An investigation is ongoing. There is a huge amount of circumstantial evidence pointing at one particular source. But there is room for caution. If the card details are being randomly generated then this pattern we see here is just as likely to occur. Of course that argument only holds water if there are other victims who have not used CRC. The number of visitors to this site is large enough to be reasonably representative of the population in certain circumstances so I’d expect that there are some readers of this thread who are victims of this fraud who have not used CRC. Are there any out there? I certainly wouldn’t expect there to be equal numbers of CRC users to not CRC users but if my possible scenario is true I would expect there to be at least some. Anyone?

If there are none then this would increase the likely hood that the source could be with a retailer that is almost exclusively used by this community (cyclists of many cycling websites – not just STW). So it seems a reasonable question to ask that we may be able to use to gain a better insight into the problem.

I’m looking forward to the completion of the investigation that CRC are currently undergoing. At that point we’ll all know a lot more than we do now 🙂

Well that is very suggestive, but there isn’t zero doubt. You could have keylogger malware on your PC.

Given the size of this issue and the size of CRC, I think that they would be smart to put a statement up on their website in the very least explaining that they are investigating it and will report back soon, and also stating what action they have taken in the meantime to ensure that new payments are safe. The best way to protect a brand is to be honest and communicate with your customers, not to pretend it hasn’t happened and hope it will all die down… I’m sure behind the scenes they are working on this 24 7, but it would be good for them to say that clearly to their customer base.

And one final note for now..

I’m in now way making light of this issue. It’s hugely serious and if the source is found that’s going to be a big deal in deed. But more what I’m trying to do is use the fact that there are so many of us on here to help ask some more logical and rational questions that might actually help us find the source. Circumstantial evidence is NOT inconsequential but if we shift our line of questioning to get other answers this might actually combine with what we do know to either confirm suspicions or point them elsewhere. Circumstantial evidence is one source. What others can we find?

I’m looking forward to the completion of the investigation that CRC are currently undergoing. At that point we’ll all know a lot more than we do now

I reccon the most you will ever get out of them will be something like “The problems have now been resolved, please resume purchasing.”

Or more likely nothing at all.

Many have petrol stations as the possible culprits

Petrol station in Ipswich was my 1st. Don’t recall them double swiping, but internet seemed to have an interestingly high reports for an Ipswich petrol station.

One of the most common is probably more likely to be rental car companies and hotels. They have your details on file, they have your credit card imprint on file, and the guy on the desk even gets to cop a glance at your CVC2, oh and as a bonus they know exact dates you’re not at home.
Friend of mine thought nothing of the rental car guy noting down the CVC2 at the time! Wasn’t very happy when he got home. Treat it as a 2nd PIN… remember it… scratch it off the card… then report any retailer to your bank if they query it when doing card present purchase.

your right to be reluctant Mark
Sorry but if it is possible to randomly pick credit card numbers and manage to ‘randomly’ pick so many correct that all ‘happen’ to belong to not just cyclists but cyclists that use CRC and frequent this and other forums then personally I would be using the same techniques to predict next weeks lottery numbers rather than scam card information
It would be far more productive!
The odds for what you are possibly suggesting are astronomical
Face facts, one of your main advertisers is the subject of a credit card scam. That cannot be disputed deflected or defended, no matter what revenue they throw at you via advertising

I’ve lost faith in CRC now, despite not having been done (yet) the more you try to deflect this away from them the closer I am coming to loosing faith in STW as well – Your in contact with them, I suggest you urge them to issue a further statement to your readers and their customers

Mark

You’re of course right that in a court of law there would be reasonable doubt. But this isn’t a court of law, the very opposite. And in this interweb based kangeroo court, the same interweb through which CRC does most, if not all, of its business, there is considerable circumstantial evidence to suggest a link.

Do you not agree that given the circumstantial evidence and number of affected persons, that CRC might do well to placate the masses by posting some form of warning, or issuing a statement to its customers along the lines of “we are investigating the possibility….” and allow them to make the decision?

Are you likely to be placing a debit or credit card purchase on CRC at the moment? I’m afraid I’m not.

I’m in no way commenting on the quality of the information coming from CRC. But Iain.. Facing facts is exactly what I am trying to do. And in so doing I’m looking to strengthen or weaken the case against CRC by looking at other possible scenarios and weighing them up against the circumstantial evidence that we have so far. I think that’s a reasonable and balanced approach to the issue. STW could of course go all tabloid and start making assumptions of guilt without any kind of investigation beyond posts on a forum.

I still think it’s a reasonable question to ask… Are there victims of O2 Prepay fraud on this forum who have NOT used CRC?

Even if some people come forward and say yes.. this does NOT get CRC off the hook. If no one comes forward then we can also count that as evidence too. None of it conclusive but evidence none the less that will build a clearer picture hopefully.

Yes of course nothing is proven it could be some other source. But when you look back through this thread most of these transactions are directly after a CRC purchase, nothing else in between. The card companies VISA and MasterCard are cancelling cards even without fraudulent activity just because there is a CRC transaction on the account(if people are to be believed). The people you speak to at the call centres for the banks are becoming more and more open about the retailer their fraud department has a file on.
So yes there’s doubt, but it don’t look too clever does it. 😕

I still think it’s a reasonable question to ask… Are there victims of O2 Prepay fraud on this forum who have NOT used CRC?

Quite probably, but it proves nothing other than that is a recognised way to test validity of scammed card details
Not ALL credit card fraud originates at CRC, but in this instance the weight of evidence far outweighs any doubt that may have been in my mind when I started this thread a week ago
I dont think we need to go round gathering evidence for or against, there is enough of that already, be it circumstantial or not (and some isnt as if people are to be believed its the only time the card has been used)and besides thats the job of the CC companies, CRC and the external auditor
All we want is some reassurance as to what CRC are doing to investiagte and prevent further occurances, and if it is yet safe to use their shop
Surely publishing such a statement is now in their best interests. this has gone too far for them to bury their head in the sand