CRC security issues?

most of these transactions are directly after a CRC purchase, nothing else in between.

I disagree.,

There are several instances where people have claimed that they only purchase they have made on their card has been to CRC. There are others where the time between CRC purchase and fraud has been up to a month. There are some where the fraud has happened very soon, within a day or two of the CRC purchase. But definitely not ‘Most’.

This illustrates a wider observation. Through reading so many posts the conclusion seems obvious. It feels like people are experiencing fraud directly after using CRC but if you go back through the thread you will see that our perception is not generally accurate. We are carried away, quite naturally by a group mentality that results in us feeling the conclusion is beyond doubt. If there is going to be a judgement made then it needs to be on the basis of objective observation.

Also, this thread has indeed gone over 500 posts. But there are in fact 260 voices.. That means on average people have contributed twice to this thread. Not all those voices are victims. Take them out and I think we can safely say there are around 200 victims of fraud here. Now that’s still a hell of a lot and the more that add to that total the more compelling the circumstantial evidence becomes, but beware of counting posts and then confusing that with victims as you will have just more than doubled the number.

I’m simply asking for as much objectivity as possible. That’s how you differentiate a thorough examination of the facts from a witch hunt. The result may well still be the same, but I’d rather claim I was a part of the former than the latter.

Mark, randomly generated would not work for the large fraudulent purchases made through the likes of Tesco, John Lewis, airlines that have been reported. All those retailers would require the CV2 number and the expiry date for the transaction to be accepted.

So to conclude – basically, CRC have f-cked up really badly.

They have potentially lost HUNDREDS of customers, through this PR catastrophe.

And there’s a strong correlation between shopping at CRC within the past month AND fraudulent O2 purchases.

Simple.

I disagree.,

I disagree.. more of them are straight after the CRC purchase this is how these threads(other forums) came about.

This forum dwarfs ours.
http://forums.moneysavingexpert.com/showthread.php?t=1901991&page=21

Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It’s a small piece in the puzzle but it’s a piece regardless.

Has anyones’ debit debit card (used on CRC) been affected?

buzz-lightyear – yes, see above.

I’m going to back off for now though for fear of being strung up… 🙂 I’m as eager to hear from CRC as everyone else and see this whole issue sorted out.

I have stopped on-line purchase using my own card for few years now instead I started using prepaid CC or DC that I bought from WH Smith. It’s only for on-line purchase only so I guess I am doomed for the rest of card purchase … well, cash is king so I use cash as much as possible or cheque or pay direct into bank. I think the next thing I will do is to not go out and start stocking up food …

The following are the possibilities:

1) CRC breach – malware internally installed or externally hacked.

2) CC or DC processing centre – someone is collecting information the moment a purchase is made through large retailer(s).

3) Other retailers – petrol station, hotel etc when card is used.

4) Somewhere between CRC and CC or DC processing centre (actually same as 1 & 2.

5) You PC is infected due to Pr0n watching … likely but hackers rather target big players where they can harvest vast amount of data than you that earn peanut for a living. Well earning peanut me.

My guess will be 1, 2 or 4.

Will be interesting to see where the source of the hack is from and so far all the cc is used in UK o2 and Spain …

😯

My bet’s on #1

Just been had.

CRC order 2nd March.
2 x £15 O2 prepay vouchers Slough. 13th March

Natwest didn’t pick it up on a debit card.

peed off. CRC Own Up!

Given the way the payment card industry works, I’m pretty sure CRC will have a lot of answering of questions to do and quite possibly some hefty fines (if they want to keep using credit cards). Worst case scenario, you’ll see paypal only on CRC if the card industry think they’ve really messed it up but I’d imagine that’ll be quite unlikely.

CRC DO need to issue some sort of press release on this because right now the hearsay suggests the problem is still happening so more customers each day are getting stung.

With regards to the O2 top-up security… you need to know either the house number or numeric digits of the post code of the card holder.

You wouldn’t be able to get hold of these if your card was skimmed at a petrol station (unless they somehow did a check on the car registration and it happened to be the same address).

Now, I haven’t used a petrol station at all this year. So either they have randomly guessed my post code and got it right, or they got it when I typed in my payment details at an online retailer.

I wonder if we add our numbers on this site to those many thousand of other victims out there whether the CRC link would still statistically hold up? I don’t know. I’m posing a reasonable question.

you are but If I start that thread I doubt very much you will be answering on page 15. This thread would have just died if no on else was affected after CRC use. We may use CRC more than others but I cant see why we are more likely to be the victim of a similar random fraud of auto generation. Why would CRC paypal users be unaffected for example?

Surely if this wasn’t CRC related, some other big bike websites would at least get a mention. Evans, Wiggle etc must get at least half the revenue of CRC?

So if I use paypal on CRC it’s safe?

Paypal uses a token based system. So they take the money but can’t do any further transactions plus CRC never sees your PP login details. So it should be completely safe to use paypal to buy stuff unless there’s something shockingly wrong with CRC.

I made a purchase on the 8th March with CRC (only the second time I’ve used them in 12 months), and 3 days later, I had two O2 PrePay payments against my account.

I only managed to find out about the link with CRC by looking on Google, and finding this thread (along with several others). I’ve spoken with CRC yesterday, and given them the details of my order, and the details of my Police incident reference.

My bank didn’t spot the dodgy transactions, I did when checking my statement.

I wish now I’d chosen the PayPal option like I do 95% of the time when buying stuff online.

I also can’t believe how people are still suggesting it’s a coincidence. I work in IT have have done all my professional life, and my computer isn’t infected with any key loggers, or spyware (plus my purchase with CRC was made when I was at work, and my work laptop is VERY secure).
The same thing happened when Lush had their online store compromised two months back. People were defending them, and saying it was other peoples faults. They were storing card holder details unencrypted in the database (A BIG NO NO!). At least they had the decency to contact all their customers who could possibly have been affected (going back 4 months worth of orders). They also took down their online store (which I know if their main source of turnover, my wife used to work for them).

I have had my card cloned twice in the last month, both 2 days after a purchase from CRC. The first time they tried to make £15 payments to o2, the second time it would seem they bought two season tickets, bus tickets and a flight with Ryanair.

It would seem that their website is compromised.

Another £30 prepay from O2 here. Used Chain Reaction on the 1st March, got done on 9th March, which seems like quite a large gap.

In case it rings a bell for anyone else, I also used the card for the following:

Radiohead album
Amazon digital download
Etsy shop via paypal
Bristol train ticket
Spokeshirts via paypal

Maybe everyone on this thread also brought the Radiohead album… 🙄

I am SO oiked off! So, on the 8th of March I bought a KMS chain and my nationwide debit card was cloned etc. Bank refunded me money so all was good, apart from being without a card for 6 days!

Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I’d have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy’s card has just been cloned (15th) and £400 was attempted at John Lewis!

CRC you lying BAST**DS! I will never shop with you again. Enjoy your ear bashing tomorrow morning!!!!

Plus, they email me after I had sent a photo of the sprocket, they are refunding me for the original cassette (£15 lower than the new one) to be honest, it’s the least they can do!

Last week I used CRC for the first time ever. This week someone tried to make a purchase at an Apple store using my card details

My card has been canceled & a new one issued.

Objectively:

I was scammed a few days after a CRC purchase, but with Vodafone as opposed to O2. Do they have the same security / lack of as the O2 automatic guessing scam?

Secondly. I have several credit cards. Some are effectively dead (zero balance, I should get round to cancelling); some are balance trf cards but no purchases being made, and then i have 3 active cards (one Visa, one MC, and one I use only for work). Why is the only one that has been scammed of all these cards the one that was used at CRC.

Being objective this could be coincidence but to paraphrase what I said in my previous post on this subject; Quack Quack.

For how long will respected publishing houses continue to take the CRC pound? Or will they acknowledge the problem and pull all advertising until CRC themselves acknowledge the problem and take appropriate action?

I cancelled my card (as a precaution, not cos it had definitely been compromised) on Monday, new one arrived today. 🙂
Happy with that except that when I phoned the number to get it activated it once again turned into a sales pitch of how I should buy Identity Theft / Fraud Insurance. 👿

Reading the info on o2 that Mark posted it’s hard not to conclude they have been very happy to turn a blind eye to fraudulent “test” purchases of airtime for more than 10 years.

How can such a big company get away with this sort of nonsense for so long?

Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I’d have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy’s card has just been cloned (15th) and £400 was attempted at John Lewis!

It’s clear that they don’t want take a short term hit on profits but the long term damage could be a lot worse, and I hope it is the way they are behaving. Anyone emailed Watchdog yet? 😀

I realise that Mark is seeking to redress the balance against a mob convened kangaroo court, which is quite understandable.

However, I got scammed nine days after using my card at CRC. I haven’t used my card anywhere else in the last four months, nor do I do any online purchases on anything other than a secure PC which is regularly swept for malware and viruses.

I do understand that a web security breach at CRC may not be entirely under their control, especially if they sub out their payment processing. That said, as a customer I will be thinking very carefully before making any purchase from CRC in the future and I’ll feel an awful lot more comfortable when the full circumstances of these breaches are in the public domain.

Well – I stood up in the initial few posts on here and said no way it’s CRC (probably related to why I no longer work in IT).

As luck would have it I got a new card today (new number, start / exp and c v v). I’ve no real need for it (or used the old one in months / years). Should I go and buy something from CRC and see what happens?

Just seen this thread, not the biggest forum follower, and last monday 7th bought ticket to marathon race in july on CRC, late next day i get all call from bank about attempted £30 O2 top up. full credit to My bank, Lloydsttsb for alerting me, as usually their a shower of s***. will be much more careful from now on. take care out there.

Well, guess what.

After posting this link round mates and finding out one of them has been scammed, I have just checked my online accounts. And lo, 2 x £15 O2 prepayments have been processed on 15 March.

HOWEVER – this is my DEBIT account, this is absolutely not used for online purchases, my CREDIT card I use at CRC seems ok (last crc purcahse 19 Feb).

In fact all purchases (online and over the counter), of any description, are run through my credit card.

Other than big companies like IPC media, virgin media etc.. for DD;s the only other internet companies that know my debit account details are Paypal and topcashback.

I have never used my debit card to purchase from crc….maybe it is a coincidence and just a massive scam?

Thankyou to the OP though, you made me proactively check and spotted it when it was only £30. (no proactive phone call from lloyds for me though)

Mark it is a good and honourable thing that you are doing trying to put a different viewpoint here, but it does rather ignore the fact that the Credit Card houses themselves have – according to lots of posts here and elsewhere – recognised that there is a particular problem with CRC at the moment to the extent that they are pro-actively cancelling people’s cards, and are able to guess at CRC being involved when people ring up to report scamming?

Given that this is really a bit of a bike news story now – and that you are a journalist writing for a constituency of 470000 unique users a month – what other than an admission by CRC would it take to make you put something about this on your ST home page?

There’s no way I’m ordering anything else from CRC until they come out and say what’s happening.

road.cc have essentially said that until CRC fess up, they won’t be writing about it. Theres nothing on Bikeradar either so it’s not just Singletrack. Someone needs to be getting the message out wider that there is a legitimate concern that the CRC credit card payment process has been compromised (by all means tell people to pay with Paypal of course).

I’d threaten to not buy any more from CRC but I’ve not bought from them since 2007 so I guess I’m not a key customer

Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It’s a small piece in the puzzle but it’s a piece regardless.

Mark, just because there is a lot of people here with 02 problems does not mean this is the only thing it tells you. I’m actually surprised it seems most people here are noticing the fraud on their own, but I guess that says more about your banks then anything else…

In Finland on the biking forum the CRC thread is not full of people noticing dodgy transactions, it’s full of people who have been contacted by their banks notifying them that their cards have been disabled as a security measure because they believe the card info has leaked. I guess this is a difference between how these cases are handled between our countries (in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond).

The only common denominator between these people is that they have purchased from CRC, actually there are several who have not used the credit card for anything else.

I don’t think there is really any doubt here.

(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)

The banks customer always ends up paying somehow – they will factor in these costs into their business model.

Mine done as well. A 98Euro spanish rail ticket was purchased which drew attention to Natwest who promptly stopped my card. Since the CRC order, there’s been 1 amazon order, a couple of Sainsbury internet orders & 1 orange mobile top-up and the rest are normal high st / petrol station transactions; so a link can be drawn to CRC. Maybe it is 2+2=5, but a link none the less.

Whilst CC fraud happens all the time from various sources this is looking more and more like a compromise at CRC. If it turns out they’ve stored CC data in a database unencrypted (a la Lush) I hope the PCI come down on them hard. I’ve been involved in securing banking and insurance company systems and there are some fundamental things you need to do and stuff like DB encryption is relatively cheap so there’s no excuse.

Assuming it wasn’t an inside job then the entry point into CRC would be interesting to know as well (but will likely never be revealed). If it was a sophisticated zero day exploit then fair enough no system is 100% safe (that’s why you do defence in depth and encryption) but if it used a known exploit down to lax security management then I hope there will be P45’s issued.

+1 FuzzyWuzzy

Just got off the blower to CRC after sending them an e mail last Thursday .They are still working on the cause and as soon as they have any news will be contacting people and posting statements on line .