CRC security issues?

based on the fact that 10% of people would report that they’ve been scammed on the STW site.

This is what I’m always, almost obsessively, wary of..

The use of the word ‘fact’ when what you mean is ‘my assumption based on……’

Once we start using the correct and consistent terminology then we can start to properly debate the values and through that come up with better conclusions and a more accurate picture of what is really going on.

All we have done so far though is show that CRC’s last communication that included some numbers is reasonable.

All we have done so far though is show that CRC’s last communication that included some numbers is reasonable

…using some assumptions based on.. 😉

The other could be an email phishing attack on known mountain bikers to make them click on a legitimate-looking email from CRC. When they click on the link, they would be connected to a site owned by the attackers, which logs the information entered and passes the request on to the real CRC site. The results of searches and the final order details would come from CRC, but be passed back via the fraudulent site. The shopper would never know that they’re not dealing with CRC.

Perhaps I too am a coincidental, but I activated my £10 voucher at work (by clicking on the email) and placed my order with CRC using my home PC (using a favourites link).

Only the banks know the numbers involved and despite what was said earlier they don’t cancel cards and single out a particular retailer without good reason.

Just had a phone call from my credit card company. I would appear to have joined a less than exclusive club! £30 at Domino’s Pizza!

Used CRC last week.

Card in the bin.

Not best chuffed.

As an affected customer I have received the email. This thread is getting too long for me to digest, have Chain Reaction sent the email to all potential victims or just those known to be affected?

I’m glad to see it has made the news on the site.

I also don’t think there is any point doing the math when you’re starting with assumptions (regarding the percentage of customers affected).

Sorry Mark, probably best to assume that when we say “fact” on here, it’s with tongue firmly in cheek. 😉

The only point I was making with my post was that all of the “math” on this thread is statistical flimflammery.

…using some assumptions based on..

The only point I was making with my post was that all of the “math” on this thread is statistical flimflammery

The math was based on their audited annual accounts and their own claim re 0.1% of orders affected.

I wish they’d hurry up and sort it out.

I want to order something that no one else has in stock. 😐

Use paypal.

Add me to the people who’ve used CRC recently and also had some dodgy transactions go on their CC, T-mobile top ups in this case. Cancelled my card straight away then got a call earlier today asking if the £138 sky sports subscription was anything to do with me! I’m no expert in the matter but that seems a strange thing to pay for with stolen credit card details! The SS subscription wasn’t anything to do with me, just in case you were wondering.

No email from CRC for me (yet) though not convinced it was definitely their fault.

It’s even more annoying if it is your debit card. I can’t actually get any money out so having to beg/borrow money at work to be able to eat (no card machines)

I wish they’d hurry up and sort it out.

I want to order something that no one else has in stock.
ditto (which is strange, cos most things on their store that I was interested in always seemed to be OOP or OOS).

my order from 27/2 arrived promptly yesterday morning

I don’t want to use Paypal (50% chance my other card was scammed thru them).

PS don’t know why people are extrapolating forum post numbers to try to gauge how many people got caught up in this scam. You won’t get more accurate than “many hundreds/thousands” out of “many thousands/tens of thousands” of customers, and even CRC probably won’t ever know an accurate number, since many won’t have put 2 and 2 together, and “many” would have cards pre-emptively canceled by bank who weren’t directly affected.

LOL @ assumptions it’s keyloggers!

(Seriously?)

If the attacker could copy the data to USB, then CRC would need authority to store the CC details on non-volatile memory (hard disks, basically). Often, a company might only have authority to keep the CC details in volatile memory (RAM), only used for processing the data – then discarded instantly. They have to comply with PCI standards.

The attacker would require a service to run, undetected, to monitor the RAM for CC details (common strings, like length, format, etc).

IMHO, it’s most likely their CC database was not encrypted (when it should have been!), to acquire the sheer quantity of CC details.

Just had the phone call from my credit card company, £2350 went out to swiss air in switzerland today. It was a new card, only used it a few times at chain reaction cycles! Dont think I will be using them again!

I’m no expert in the matter but that seems a strange thing to pay for with stolen credit card details!

When my wife’s card details were compromised, someone booked a hotel in Brighton for the day we discovered the fraud. The bank said there was no point in telling the police that there was a hotel room with people who were using a stolen CC because they wouldn’t go and try to talk to the people. Not sure if that’s true or not but it seems like a missed opportunity. Go to the hotel at 5am, get the buggers out of bed and drag them down to the station for a chat. At the very least, it’d make fraudsters a little more wary of ordering goods that needed delivery or even hotels, holidays or what hve you.

For the last couple of days I’ve been waiting to see what’s happening with my current account, as on 16 March one test withdrawal for £1 followed very rapidly by another for £1282.95. Apparently it’s in clearing and bank have to let it go through to track. I haven’t used CRC during the period identified above, but have a lot towards the end of last year – so maybe details harvested then?

If it’s not CRC, suspect Merlin or Bike24 or just an amazing coincidence?

I shall be more careful in future!

The Police should have gone round to Domino’s and grobbed in the pizza that was ordered on my card.

Agreed xiphon. My money is on SQL injection attack has led to CC numbers from database. The hacker then uses these numbers on sites where you can repeatedly try with different details but the same number this allows you to gain expiry date/CV2 whichever is missing.

I think mark should change his tag from resident grumpy to resident detective
What do the numbers matter like I said earlier 1 or 1,000 people affected I would hope Crc would treat it the same and investigate fully anyway a security breach is a breach no matter how many people are affected

I think the point was people were questioning CRC’s statement of 0.1% of orders being affected. The math based on stated turnover and order value showed that it seemed in the right order of magnitude given the known reports here.

O2 removed £30 from my account after I used CRC. Card was new and I don’t use O2. The bank sent me a letter and a new card.

Ok Damo based on reports on here but if you google Crc credit card fraud you will find cases in new Zealand France Spain Finland and all around the world I bet they haven’t posted here you can do calculations based on so many assptions but they neither prove or disprove anything unfortunately I believe cases reported here are only the tip of a much bigger iceberg and like others have said if Crc don’t yet know the source no one can guess on numbers affected

Ok Damo based on reports on here but if you google Crc credit card fraud you will find cases in new Zealand France Spain Finland and all around the world I bet they haven’t posted here you can do calculations based on so many assptions but they neither prove or disprove anything unfortunately I believe cases reported here are only the tip of a much bigger iceberg and like others have said if Crc don’t yet know the source no one can guess on numbers affected

If that’s the case then it shows that CRC are under-reporting the cases at 0.1%, i.e. there are more than 0.1% of orders affected.

So….

Not wanting to trawl throught 700 odd posts,

Payments to CRC via:
Paypal = OK
Credit card = compromised
?

Or am I missing something?

Hmmm,
I’ve not been through all the pages but I have had my Bank Card Details stolen. 🙁 Visa Debit incase you were wondering.
15gbp was taken and used to top up a pay and go 02 sim card, somewhere in London.
I am not sure if it was CRC that lost the details. Fraud guy at RBS said that there are many ways they can get your card details.
I have passed my information on to CRC, who knows it may help them catch the thief that did this.
Hope everyone else manages to get their money back and getting your new card is not to difficult.

In future I will try checking out with paypay, I think that is safer but honestly I am not sure 🙁
Nick

Right, what i want to be able to do is remove my details from their site.

Im sure that when you log in your credit card details are stored there are they not? Im not going to try buying something and may be incorrect but im sure the card details were held.

If not then i still want to remove my ligin details and it wont let me!

Another victim here, MBNA fraud phoned me a couple of days ago to tell me that £700 had been spent with Mamas and Papas! At least they were on the ball and realised it wasn’t in line with my ‘usual’ spending and stopped the payment.

I’ve had the ‘apology email’ from crc. I haven’t contacted them direct, but I have posted on this thread as affected. My user name is pretty obvious to link to my crc account…..but I still assume that the ‘apology email’ has simply gone to all recent customers.

these thieves….must make a lot of phone calls judging by the 02, carphone warehouse and vodaphone purchases they make fraudulently!

Oh and a ‘well done’ to halifax card services. Replacement card arrived today, just 2 days after the other was cancelled.

I posted about 10 pages ago, having had my card fraudulently used. New card now so all ok. I emailed CRC this morning to state the facts and point out that I had spent a small fortune with them over the years. I got the standard email back, but was also surprised to get a phonecall update from them this afternoon – no new info, but a human voice, an apology and an undertaking to call back once they have got to the bottom of it. Now I think that is actually pretty decent.

neilnevill : they sell the airtime on

Have been away all week and back to discover my card details have been used!! Apparently 2-3K was approved!!!! 😯 They say they will remove the amounts and/or I will have to claim them back. Will get on to all involved in the morning to try sort more out…..

I’ve yet to receive anything from CRC.

I can handle the inconvenience of having to organise new card etc, CRC may well buy in the online purchasing facility from a third party that’s been compromised.

If they don’t encrypt the logs of credit card transactions then they’re asking for trouble, but then how many online companies actually bother to go to those lengths?

DavidB – Member
Agreed xiphon. My money is on SQL injection attack has led to CC numbers from database. The hacker then uses these numbers on sites where you can repeatedly try with different details but the same number this allows you to gain expiry date/CV2 whichever is missing.

SQL Injection sounds about right too, if the attacker was external (i.e. not CRC employee…. can’t rule it out!)

Probably been harvesting data for months, then tried to use as many as possible in a short time period.

If they don’t encrypt the logs of credit card transactions then they’re asking for trouble, but then how many online companies actually bother to go to those lengths?

Any company who deals with financial information needs to comply – by law – to various standards, or the payment processing company/bank won’t deal with them.

Add me to the list. Hit for O2 pre pay, thirty quid only days after a CRC order. Cancelled card. Minor headache for me. Got new card.

I’m reluctant to use Chain Reaction Cycles again.

Then I warned a friend who had just ordered from CRC and, would you believe it – he was hit for O2 pre pay, thirty quid only days after a CRC order. He cancelled his card. Headache.

Paypal are going to make a killing from this!

SQL Injection sounds about right

I find it hard to believe a website of the size of CRC would be subject to a SQL injection attack – preventing this is not difficult and everyone involved in data driven sites is aware of it as a threat… aren’t they??

Mmm, only 0.1% of customers affected eh, be nice if CRC offered a nice big discount to those who’ve had the hassle of their card being scammed then, 20% off my next order please, afterall it’s only 0.1% of their sales for that period (apparently?) so it would be nothing to them! 😐