CRC security issues?

The banks customer always ends up paying somehow – they will factor in these costs into their business model.

It could also be the shop who ends up paying…

CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy’s card has just been cloned (15th) and £400 was attempted at John Lewis!

So in Janesy’s case, after having his first card cloned he was assured that the problems were resolved. Then low and behold the second card he puts through them is also cloned…. So what’s the probability of that happening by chance….. 😯 !!

Just had my card hit with £2500 John Lewis bill. I’ve only used this particular card once in the last year (three weeks ago) and it was buying from Chain Reaction Cycles. Thats not to say that the card details were not harvested before that but…

Got hit this morning for a few small tester transactions. Card company called me – which was good of them.

Credit card order to CRC on 6th March – card only used abroad apart from this transaction (scammed transactions were domestic BTW).

Amusingly, the fraudulent transactions seem to be from a provider of payment services for adult sites.

(in Finland the customer will never end up paying, rather then banks will suck it up, hence they are quite quick to respond)

As I understand it, any fraud using a credit card or visa/mastercard debit card is paid for by the bank (or charged back to the retailer). We all pay for this protection through high card charges for retailers that are passed on in the price of goods purchased.

Lloyds have told me I need to fill out a fraud form they are sending me, and return to them within 14days or they won’t refund me the dodgy transactions.

The missus has checked her cards & accounts and they are fine so pretty sure it isn’t a keylogger on our laptop.

It’s been reported on theregister this morning:

TheRegister[/url]

Thanks for that link to a news item Farmer John.

Because of what I regard as Chain Reactions tardy response, I’ve been sitting on my hands forcing myself not to contact responsible agencies / journalists etc. What has stopped me doing it is that I am Northern Irish, which means I apply some ‘local bike shop’ goodwill to Chain Reaction. Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC’s – key loggers etc. Not very likely as I run linux.

Something else is bugging me – why aren’t Singletrack running this as a news article? What matters more, informing readers or protecting advertisers?

Another thing that really narked me are these suggestions that a Chain Reaction director has implied or even stated that the problem lies on customers PC’s – key loggers etc. Not very likely as I run linux.

Not going to go back through the whole thread, but was this actually the case? I thought the dude who said about weaknesses on user PC’s was actually the guy who ran the IT company CRC use?

Waderider – Mark’s post here explains why they’ve not put it on the front page yet.

Thanks WackoAK – I don’t think that is a reason for not having a story. Regarding the director stating the problem with users PC’s, it is something I have read on several places on the net. So yes, it could be rumour and lies.

We have asked CRC for another update. As soon as we have something new to report we will.

just been on the phone to my bank (nationwide) and they are stopping all cards that have had transactions with chain reaction cycles in the last 10-14 days, compromised or not.

They are also being investigated by the bank, so I have been informed.

The poster was claiming (not directly… but their name + location indicated so) to be the MD of the company “Export Technologies”, who provide the e-commerce platform.

CRC carefully worded a response to STW, neither denying nor confirming the above to be true.

Hi Folks

Just want to give you an update as you may have missed our earlier statements.

What do we know?
We know that some of our customers have experienced credit card fraud after placing an order with CRC.

When did we find out?
Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.

How big is the problem?
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer’s security extremely seriously we are taking all the steps we can to understand what has happened.

What steps have we taken?
CRC have employed one of the UKs leading internet security companies to carry out immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.

Card Re-issues
Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.

When will CRC have more information?
We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.

Can you order safely?
So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.

Please contact us directly
We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support

Michael Cowan
CRC Senior Management

crccustomersupport, my bank has told me they have blocked all transactions with CRC so I couldn’t order again even IF i had 100% trust in you!

Thanks for the update.

So far the investigation has uncovered no evidence of any breach

do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?

It’s noticeable that CRC still don’t say whether they have themselves reported the significant volume of fraud to the Police.

Oooh, made it onto the Register!
here[/url] How exciting!

email sent

lets see what they come up with

there’s absolutely no reason to assume that this is purely an IT related issue……

equates to under 0.1% of on-line orders

Somehow I don’t believe you.

If it’s high enough to make the banks aware of it, I would put that figure FAR higher. Unless you process something like 100 million transactions year…

Remember to encrypt the credit card database next time, alright? 😉

nicko74:
Oooh, made it onto the Register!
here How exciting!

Look up dude.

Very brave of CRC to come on here and comment. Well done.

However, two things;
1 – As mentioned above,

do you not consider the many many people on here who have issues seemingly as a direct result of giving you their custom as evidence?

and 2 – I still find it astonishing that an issue affecting so many mountain bikers/cyclists has not been reported officially by a mountain biker/cyclist focused website which ” delivers a daily dose of mtb news and opinion”. This is both news and opinion and has been running for some time now.

While I appreciate that Mark is trying to protect the ad revenuewait until all the facts are in etc, that’s not really how “news” works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW.

While I appreciate that Mark is trying to protect the ad revenuewait until all the facts are in etc, that’s not really how “news” works. You can report what is happening, with all the relevant caveats of course, but surely something like this should be reported? Amazing that a site such as El Reg reports it before STW

Marks comment on ‘publishing’ the news story of CRC

http://www.singletrackworld.com/forum/topic/is-mtb-journalism-proper-journalism/page/3#post-2385072

Yes, I too had my card compromised after making a couple of purchases from CRC in late February. Halifax Financial Services were on the ball and called me. Card was cancelled and a new one issued, which took about 5 days. No direct evidence of a link with CRC but in the light of the foregoing, it is suggestive.

hopefully everyone who has had this problem will actually tell crc about it.

their 0.1% figure may be based on direct contact, not us lot bitching on here.

their 0.1% figure may be based on direct contact, not us lot bitching on here

Good point.

their 0.1% figure may be based on direct contact, not us lot bitching on here.

they said up there ^^^ So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1%

I’m sure I read somewhere that they despatch around 6000 orders per day, so over – say – a 10 day period that would be 60 complaints

well spotted, i doubt they have trawled through all the forums though

to be honest i’d like them to take the HUGE PR hit and send out an email to all account holders. not everyone reads the forums or checks the cc bills regularly.

I’ve just got an email from CRC, with the same content as the post above. Looks like you got your request mrmichaelwright 🙂

Amazing that a site such as El Reg reports it before STW.

Not amazing at all. Reporting on CC fraud is one of the things they tend to report on, along with compromised websites, unencryted SQL DBs left lying around on webservers, disgruntled webmonkeys walking out with files or refusing to handover root/admin passwords etc.
If anything, I was amazed they hadn’t reported sooner.

to be honest i’d like them to take the HUGE PR bonus and send out an email to me offering a 100% discount for life

worth a try……. 😀

I hadn’t bothered to directly contact them as my bank dealt with it pretty efficiently, but now I have.

CRC should put a note on their front page with their various statements and some advice on what to look out for / who to contact – it’s pretty shoddy of them to be posting on message boards but not on their own website.

Amazing that a site such as El Reg reports it before STW.

Report is a bit strong, they basically said 2 sites forum members reckon there’s somthing dodgy going down. Hardly l33t investigative journalism.

to be honest i’d like them to take the HUGE PR hit and send out an email to all account holders.

they have, got mine 15mins ago.

so it seems

not had mine yet though

Just got the email from CRC too. Glad to have some confirmation that they’re looking into it.

I don’t think they would actually lie about the 0.1% becuase if investigated they would end up in quite a bit of legal sh*t. I’m going to take their advice and pay via pay pal on future transactions until they come out with a statement saying that security issues, if any, have been resolved.

I was on the phone to them for 20minutes on a big rant. still doesnt help! i’ll be getting my shiny parts from somewhere else in future.