theotherjonv – Member
just found this thread and also read the other one that this is a response to.

I ordered some stuff from CRC that was out of stock a few weeks back as price was good and I was prepared to wait for it to come in. It came in last week and the card was duly charged, and goods have been received.

I was called yesterday by my bank querying 3×20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction.

How does that work then, if companies can’t store CC details; I put mine in several weeks ago but they weren’t used until the goods were ready to be shipped? Where were they stored in the meantime?

That also to me suggests it’s not keystroke logging or the like, seeing as if that was the case then the details would have been ready for use shortly after order was placed, whereas they only got used after the CRC transaction a while later.

If it looks like a duck, walks like a duck, and quacks like a duck, chances are it’s a duck.

Companies are required to be certified if they are processing or storing (or both) details such as credit card numbers.

A company I worked for previously, only had a license to store the CC numbers in the RAM of the transaction server. They were not permitted to write the data to hard disk.

Sounds like CRC have permission to store their CC data in a database – and this server was compromised, either as a direct attack on CRC’s website – or an attack on their infrastructure (wireless entry, physical entry, etc)

CRC are big fish, and will have a vast quantity of customers CC details – which makes them prime targets.

I was called yesterday by my bank querying 3×20 quid top ups for Vodafone. They also specifically asked me to confirm a CRC transaction

In a quick google search CRC comes up as a past target for using nicked cards as I assume it has at some point been relatively easy to order stuff to a funny address then ebay the lot

i really doubt its coincendence to be honest – its not as if were talking 2 or 3 people hit – which i could understand the point of this thread…

a whole thread on here with lets say 80 people (and numerous other forums too) have reported fraud after just using CRC within a week or so…now i doubt they have all just used CRC on their CC, but im sure the 80 reported people also dont have the same online virus scanner or lack of to blame the computer they own, nor shopped at exactly the same other online places etc etc etc for it to be considered something else – so it is way more than ‘just coincendence’ in my eyes…

im not sure how they can combat it, but its definitely lost my trust for the time being….

i bet a pound to a penny in a month we discover it ‘was’ CRC all along…

Mark – thanks. I do i having acquaintances who run forums of roughly half the size of this one and understand the commercial pressures advertisers can sometimes bring to bear, and I am typing this into a box immediately beneath a Vitus/CRC advert. But I am glad to hear there is nothing similar here.

Yes – ip addresses are the best measure you have – but I think site visits are a more honest way of describing things than “visitors” which really implies individual people – which is sort of what you implied… isn’t it?

It sounds from one or two of the more recent posts that the CC administrators themselves think that there may be a problem with CRC.

But whilst avoiding sharpening the pitchforks – and you don’t address either of the assumptions I think you are making btw… – if you had done business with CRC in the last 2 weeks – would you be checking your credit card statement more closely?

Mark – you’re getting confused between ‘page impressions’ and ‘unique visitors’

Both quite different things. One ‘unique visitor’ could view 20 web pages, each made up of 100 elements (images/javascripts/etc)

1 ‘unique visitor’ = 20 ‘page impressions’ = ‘2000 individual HTTP requests’

So for the STW figures you posted:

7.74 million page views in the last 30 days
1.3 million visits
476,286 visitors

= 7.74m individual requests
1.3m page impressions
470k individual visitors. <– the important one

Its nice to see CRC posting a good response.

Still checking my card though, even though I used Paypal – seems people who used it ages ago are now getting done.

i take back what I said.

Had 2 messages on my phone from yesterday from my credit card company.

Brand new card I used for the 1st and only time at CRC and 4 attempts to buy mobile phones. One in America by a Mark P McConnell and some more from Car Phone Warehouse and Orange.

its alright for these journos like Mark though innit, they dont have to get their credit cards out to CRC, they get their stuff free on a Friday 😉
(I am joking Mark)

Seriously though it would seem there is an issue – CRC have said as much on the other thread now, where the issue is or how it happened we maybe dont know, but is that important (and does speculating about it really get us anywhere)? I started the other thread to make people aware when it all seemed to be kicking off elsewhere, how many people that read it may not have been any the wiser if they hadnt seen it and the fraud (wherever it originated from) may have gone un-noticed for even longer, even CRC didnt know originally. So surely thats a good thing, a prime example of a forum like this working for its users?
I don’t think anyone is sharpening pitchforks or accusing CRC management of taking details personally, lets face it at the end of the day we are all their customers, we still want cheap bike bits and good service, CRC provide this, we will all be back shopping there once this is resolved. Many companies suffer fraud daily, this could just as easily happen to Tesco or to the little one man online retailer working out of his garden shed, just so happens this time it looks to have been CRC
And as for sizes CRC may be the biggest bike shop in the world and they may process thousands of transactions a day but in wider internet retail they are still small when compred to some others out there (and besides size has no relation to transaction processing security measures)
Using website hits to try and justify that ‘its not a big problem’ is frankly in my eyes not really on. It doesnt matter if one person or one million people are affected it is still a criminal activity affecting one of our suppliers (they are not a site sponsor or an advertiser – they are that company alot of us rely on to be able to partake in this sport) and the loophole is still there and needs investigating and closing no matter who has been a victim
It looks like CRC and the card companies are onto this now, so Im looking ahead and hoping that next week I can order my chainrings safely, because while the chainrings can wait I really have an urgent need for a big brown box

The other thread isn’t a witch hunt its simply a load of CR customers spotting a link and warning others. You cannot measure a issue like this by posts on some random mtb forum its is totally flawed!! The posts on here are likely to be the tip of the iceberg as many people (a)won’t have been hit yet (b)not seen their statement and/or not made the connection (c) and many many customers just won’t use forums.

If people didn’t post what they experienced, then CR would have probably be unaware there was a breach and the fraudsters would continue to cash in. 👿 Now at least they are dealing with the issue, yes bad in the short term for CRC, but good in the long term for everyone. 😉

xiphon,

sorry but there’s no mistake.. We don’t confuse ‘hits’ with page impressions. The stats are real. We deliver 7.74 million ‘pages’.. that’s complete pages.. if we counted the ‘hits’ there’d be 20 times that figure. ‘Hit’s’ or ‘requests’ is, as you suggest, a rather loose and frankly useless figure that we never quote.

Count the ads on this page. There’s typically 7 ads per page. In the last 30 days we’ve delivered almost 50 million ad impressions. Those figures are checked and double checked as most of our advertisers pay for them by the thousand (CPM) take that figure of 50 million ad impressions and divide it by 7 ads per page and you get a little over 7 million complete page impressions. Not ‘requests’ or ‘Hits’ 🙂

We really do deliver that many complete pages. Stop doing yourself down! You are part of one of the world’s largest online MTB communities 🙂

What ads? 😉

7 million? Still quite a way behind PB’s 70 million!!

http://radek.pinkbike.com/blog/pinkbike-speed.html

I just placed a big order with CRC last night*. Is my account going to be emptied!?

*Paid by Paypal though…

IIRC PayPal payment does not disclose the CC details to the ‘seller’ – they use a one-time unique token system.

Buyer has £10 in his basket, and wants to pay via PayPal.

CRC ask PayPal to authorise £10 from Buyers account.

PayPal says “Yes – transaction complete – here is a unique number for this payment collection”

CRC says to buyer “PayPal have said yes, and debited your account on our behalf”

CRC sends items purchased.

PayPal send CRC the money.

Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.

iv not had any problems and always pay by pp

altho mum used amazon a few years ago and has had a credit card opend up in her name in the states using her uk address.

Twohats, I did the same, but at the moment it seems only CC fraud. But you may want to consider how your PayPal account is linked to your bank account. Theoretically your PP a/c could be hacked and your bank emptied. At least with a Credit Card you can say it wasnt you, that may be harder to explain to PP.

My Paypal is linked to a debit card that is only used online and only ever topped up with the amount needed per transaction. No money in the account = no use to anybody should they obtain any of my details.

Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised, surely this has got to be more than coincidence?

I can’t help thinking that Mark’s first post on this thread was prompted by a phone call that went something like…

Lord ChainReaction; We’ve noticed a dip in sales. Do something about it.
STW Minion; Yes Sir, very good Sir, I’ll get somebody on to it right away Sir.

Pure speculation of course. I’d like to see the current spate of reported frauds put in to context with known typical fraud frequency.

Not seen anyone saying they made purchases on Merlin/Wiggle etc then had their cards compromised,

I remember when it were all fields round here, and the name “wiggle” could be seen burning on the pyre.

The great wiggle fraud battle of, what, 2008/9?

Stop doing yourself down! You are part of one of the world’s largest online MTB communities

Careful, the nicheness-halo might slip! 😀

Anyone had any more issues lately? I bought some stuff from CRC in mid March (from NZ)and found some one had bought almost a grands worth of stuff from a printer ink company in Italy! It’s a bit of an inconvenience having to change all the DD and getting the cash back.

This is the first time that i have ever been a subject of CC fraud.

Coincidence, or something more sinister?

I’m not interested in all the stats – is it safe now?

used my card 2 days ago with them.

bank cancelled it just to be safe ! :@

I’m not interested in all the stats – is it safe now?

I got this from CRC. They think it is resolved.

Hi,

Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

PARAGRAPH REMOVED ABOUT MY VOUCHER

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

My card got done on Wednesday this week. $1 to a US company and the £20 on a mobile top up. M&S stopped both of them but it’s the 2nd time this year for me. Didn’t initially connect the first one with CRC but the pattern matches the second one. Card and security number was new in Feb and there was one CRC payment on the last statement so it could have been harvested some time ago or it could be nothing to do with CRC. No comment from CRC although I have emailed them.

Who knows.

used CRC in the first 2 weeks of March, think it may of been the 9th and had someone try and get £130 of goods a week later. used CRC last week and nothing now. so they problem has been solved and i do belive it was something at CRC’s end and they have admitted it.

Hi,

Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

We would like to offer you, by way of an apology, a £30 on-line voucher for use when you next come back to shop with us. The activator for your voucher is the email address you have received this email to. Simply input your email address into the e-voucher code box at the checkout to receive the discount.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

so i don’t know why your trying to say it wasn’t them?

just received my statement and been stung for just over £200 to one site, plus 50p ish I think to a US site. which both went through. Last order to CRC was first week of March.

Yup, just posted on t’other thread, but I got done after spending with CRC on 24th March. The frauds started coming through about 16th April, and there were many.

N.B. This was a new card.

it really doesnt look like CRC is safe despite Mr CRC’s public statement

Merlin have some cracking deals on…

There is no legal requirement to process CC details in a certain way. There is the PCI-DSS standard (industry-led, not legally) which companies are expected to adhere to, otherwise Visa and Mastercard won’t work with them.
One very specific part of that standard is that card details must be encrypted when they are stored, and that the security code cannot be stored at all, encrypted or not.

The fact that so many authorisations have gone through suggests to me that those rules aren’t being adhered to.

EDIT: I got gotten about 5 weeks after my latest CRC purchase.