CRC security issues?

If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.

If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.

Oh thank god. I was worried it was serious for a minute 8)

… equates to under 0.1% of on-line orders placed …

Quick someone please start another on-line bike retail store as the market is big enough …

Astonishing if there is no breach at CRC but yet so many are affected so this I want see.

Got ripped by the fraud , bank refunded , new card etc

Bottom line , started using LBS more
Actually not as bad as I thought

Net result = CRC loose another customer

… equates to under 0.1% of on-line orders placed …

and this makes it ok does it?

If anyone is interested, there are 158 individual reports on this thread of fraudulent transactions being spotted on accounts.

..and if you apply the “only 4% actually post” metric then that is a LOT of fraud

DavidB, 3950???

And that is only on STW

and add in all the other forums…..

No, you can’t apply the “only 4% post” rule in this case as a loss or fraud is an incentive to post. It’s liable to be many more %, but who can say how much? Only CRC. There are likely to be thousand of incidents, I guess.

To give CRC a fair whack, they have responded on the forum, they are working with a security company – and it’s hurting them very much indeed I guess.

and add in all the other forums…..

except that people will quite likely post on more than one forum, may not use the same user-name for each one so you end up double counting.
It’s always the complainants who shout loudest so 99% of the people who have bought off CRC with no trouble at all are probably
a) not aware of any issues
b) even if they are aware they probably don’t care cos they’re OK
c) people liike me who did buy off CRC, had no issues but cancelled my card anyway as a precautionary measure. Better safe than sorry! 😉

I’m not saying there isn’t a problem, I believe (from reading this forum alone) that the relationship between shopping at CRC and subsequent fraud is too high to be coincidence but, as yet, there isn’t a reportable story on it and as Mark stated, this forum gets far more views than the front page news.

If there’s one thing that’s going to get lurkers coming forward and posting it’s being ripped off by a fraudster. There are many victims who have posted on this thread for who this was their first post.. If you were a lurker who had bee ripped off, would you keep quiet after reading this thread? There’s even a clear example on here of someone from France registering a new account just to add their case to the total. So the 4% rule doesn’t count.

I think it’s clear there are hundreds of cases. Which is an awful lot and quite clearly a total that requires a thorough investigation coupled with a public explanation once that investigation is complete, which from our contact with CRC is exactly what they are doing right now.

except that people will quite likely post on more than one forum, may not use the same user-name for each one so you end up double counting.

Sure there will be a bit of double posting but not all that much as people arn’t gonna sign up to other forum just because of this and forum users tend to be loyal to the one that interests them most, there will be exceptions but not many.

Let me first note that I don’t – yet – assign positive blame on CRC. There is CRC, there is, presumably, some company which carries out payments for them and there is cyber-space in between; the culprit can lie in any of these.

Having said that, 0.1% doesn’t seem too plausible now, does it? They refer to a ~40 days period and we can safely (?) assume there are circa 1,000 cases reported here and there so far (am I exaggerating?). Then the 0.1% implies CRC has taken something like 1,000,000 orders in that period of time. That’s like 25,000 orders per day. Does anyone buy this figure? Is there an error in my math?

On the other hand, even if the 0.1% is a truthful figure, it does not necessarily correspond to the actual number of compromised CCs. It may very well be that the fraudsters are on finite resources, a fact which may have prevented them to sting more cards in such a short period of time.

CRC are never going to be honest about the problem

“They have found no evidence so far” – Unlikely

I had attempted fraud happen on both my cards used – one original, one the replacement for the original, im on my third card now and avoiding crc, tks

Is there an error in my math?

Well, there is one in your English! 😉 Mathematics, not mathematic. HTH.

😉

Another here.

Have a John Lewis Credit card..
they called quite fast after an itunes US transaction.
Odd.

Anyway.. long story short.. last purchase was a set of forks at you’ve guessed it..

Bit of a pain being without a card.

I don’t think anyone knows how many orders they take a day, but you could make a decent guess with a few assumptions.

2009 turnover was £77m. Assume a low average order value of £50 gives 4300 orders a day, a high average order value of £400 gives 500 orders a day.

No idea what actual average order value is, but less assume its somewhere between the above. That means they take 500 to 4300 orders a day.

Let’s assume the period they are talking about (Feb and early March) is 40 days, that means during that period they’ve taken somewhere between 20,000 and 172,000 orders.

Using their quoted 0.1% of orders affected means that they’ve had reports of between 20 and 170 cases of fraud.

Clearly there’s more cases reported here than the lower estimate above but it gives you an idea of the orders of magnitude.

Anyone with better idea of average order value could do better.

.

Well, there is one in your English! Mathematics, not mathematic. HTH.

Cut me some slack; I’m Greek and my English is actually American. Which makes “math” – instead of “maths” – right. Bah, I should have used “calculations”… 🙂

???????, ???? ??????!

🙂

2009 turnover was £77m

but that probably includes Hotlines and all the brands they own that sell to LBS’s etc?

I did think that perhaps – not sure how it is structured – I don’t think CRC is a group company? Not sure. Hotlines although owned by same people is separate company?

If you assume it does though then number of orders is obviously lower which makes their 0.1% claim look spurious.

CRC turned over £77 million in 2009. This is information in the public domain.

I have no idea how accurate the following is so it’s totally open to debate but we can play with some of the numbers and use them to narrow down to the unknowns. Then we can play plug in made up numbers and see if the answers meet our expectations.

Around £6 million a month in orders
Average order value say £25… or £50… or £100 ? Lets take these 3 and see what happens.

6 million/£25 = 240,000 orders a month.
@ £50 = 120,000 orders
@ £100 = 60,000 orders

0.1% of 240,000 = 240
0.1% of 120,000 = 120
0.1 % of 60,000 = 60

We have on this site 158 complaints. That sits between average order values of £25 – £50 but we can’t assume that those 158 are all the complaints. There will undoubtedly be more.

The largest unknown is the average CRC order. I could be all over the place with my guess. Maybe a straw poll of readers last purchase values will help us narrow that down to a more accurate figure. Anyway, I think the method is sound if not all the figures within it. The other unknown is how representative our 158 complaints are of the total complaints. These two figures are open to debate and supposition.

err did you just copy my maths?!

This seems to suggest around 30,000 orders/month

http://www.mynewsdesk.com/uk/view/pressrelease/egain-communications-chain-reaction-cycles-on-fast-track-for-customer-service-excellence-with-egain-597168

Another lurker stepping forward here.

CRC order placed in the relevant period, followed by call from credit card fraud dept last week – dodgy activity on card, card blocked and now reissued.

Ah.. I posted that and it seems the same sort of calculation has been done already. Good to see we are on the same general lines though. Did CRC own Hotlines in 2009? 2009 accounts will also refer to the period that ended in 2009 so depending on when the end of year is it could include most of 2008.

@uplink – that article says 30000/week not month?!

Mark what I still don’t understand is how CRC (who say they still don’t know what the problem is how the information was stolen) can be confident of quoting any percentage of total order value/numbers of orders as being affected?

If they can be certain that only 0.1% are affected then they must have a very clear idea how the information was obtained and what percentage of their orders left the channel used for CC traffic open to abuse?

If they’re just going by numbers of reported incidents to them then they’re relying on people tellign them? I wouldn’t – I know they know they have a problem.

@uplink – that article says 30000/week not month?!

yeah sorry my typo

It bears out my other post though of 6000/day

@mark – was just joking.

Taking a look at the accounts they actually quote the number of orders and average order value (kindly).

Orders: 1042878
Ave Value: £72.43

So thats 114,000 orders in 40 days. And 0.1% of that is 114.

Of course that data is a couple of years old now, and they’ve grown considerably since.

What this is doing, of course, is ensuring that there’s not a cat in hell’s chance that I’ll buy anything from CRC in the forseeable future.

I suspect I’m far from alone……..

there’s not a cat in hell’s chance that I’ll buy anything from CRC in the forseeable future.

If the price & stock is right I’ll still buy – I did yesterday [via Paypal]

What this is doing, of course, is ensuring that there’s not a cat in hell’s chance that I’ll buy anything from CRC in the forseeable future.

I suspect I’m far from alone……..

I suspect that this will also, hopefully, drive a few more people back to their LBS.

wwwas,

The CRC statement says the 0.1% figure comes from reported case AND those reported on forums. Now it’s true that there is probably an unknown quantity of victims out there who have neither reported directly to CRC or on a forum – this is another unknown value in the big equation. Slowly we are gathering enough data to plug in numbers to these variables though and as we do a fuller and more accurate picture is emerging of the scale of the problem.

So far, the numbers we have played with are at the very least in the same general area that makes CRC’s claim of 0.1% not an unrealistic claim. ‘Hundreds of victims’ is still a lot and needs investigating, even if there are by our own collective calculations hundreds of thousands of order a month.

nickf: But wiggle are still going and there was a similar scare with them a while back.

There are a couple of ways I can think of that CRC’s customers have been defrauded without any evidence of tampering on their servers.

One is that CC details (if they store them, even briefly) have been accessed by someone with the legitimate rights to do so, copied to a USB stick and either sold or used by the person who stole them.

The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC. When they click on the link, they would be connected to a site owned by the attackers, which logs the information entered and passes the request on to the real CRC site. The results of searches and the final order details would come from CRC, but be passed back via the fraudulent site. The shopper would never know that they’re not dealing with CRC.

I’ve seen one post from a person who was defrauded but uses Linux but it may be that his attack was coincidental. If it was, MTBers could have been targeted (from a race event emailing list?) and key loggers installed when they clicked on a link.

In all cases, nothing would show up on CRC’s systems and thus their statement that there is no evidence of a breach would be correct.

This is not a defence of them or their systems but an attempt to indicate that these things are sometimes very difficult or impossible to trace after the attack has ended. But if the breach is found to be on thir own, unsecured systems, they can expect to be fined and closely audited for a long time.

Hello, I’m a lurker and have been had over too.

5 transactions in total, for O2 and Vodafone prepay.

Just cancelled my card and bank are refunding, not sure whether CRC are taking responsibility for this security breach?

So I ordered some shock bushes, got sent the wrong ones, had to pay for Saturday delivery so I could ride that weekend, then I get money stolen. GOODBYE CRC I’ll not use you again!

There are a couple of ways I can think of that CRC’s customers have been defrauded without any evidence of tampering on their servers……………

The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC

of course, some of them may well have clicked though from here 😉 – just saying like 🙂

It’s uncanny Mark – my last order was £57. With that kind of insider information, you have to be under suspicion…

Um, not sure why people are trying to extrapolate any kind of numbers – CRC aren’t likely to even know how many people have been affected until they work out how the information was accessed, given that some won’t even notice, and many won’t know to tell CRC. However, I did some maths of my own, and I’ve decided that 1580 people have had their data stolen, based on the fact that 10% of people would report that they’ve been scammed on the STW site.

I reckon if that is the the final disclosed figure I should win a trolley dash round the CRC warehouse, plus 30 quid in mobile phone credits.