Chain Reaction Cycles : credit card fraud

My very first post and it's not nice!

CRC still seem to have the problem. I had a quid taken out of my account as a charitable donation, then as above a £30 O2 voucher and then some scumbag paid Lambeth Council £1200 + £800 with my money!

Bank identified Chain Reaction Cycles as the culprits within minutes.

Last fraudulent transaction was 7th April so still going on I'm afraid.

Contacted CRC a few days ago - no reply yet. Keep you posted.

Paul

I always use PayPal for CRC and Wiggle and whenever else it's available. That way you aren't sending any credit card details through the ether for people to pick up and spend on stuff.

Of course, that's unless PayPal's security gets compromised. Then I'm stuffed...

I had my credit card cancelled due to fraudulent activity folowing several purchases from CRC ... and despite emailing CRC, received no response and didn't get any goodwill voucher.

I wonder how they decided on who to hand out vouchers to? In my case the fraudulent transaction was for a very expensive airline ticket, rather than O2 top ups, but the fraudsters no doubt tried different tactics and when attempts at larger transactions failed, they would then switch to less noticeable smaller transactions. I really doubt the fraud involved only O2 top ups and nothing else.

I am not impressed by CRC's lack of response when I registered for updates when this issue was first reported on cycling websites. They completely ignored my emails. I only found out the security breach had been plugged by reading news updates on websites like this. Normally CRC's service is pretty good ... not impressed.

The goodwill voucher was nice and got me back shopping with them again, although it will be paypal only from now on.

I had a similar issue - my card was used to buy £20 O2 top up after buying from CRC. As it was a new card hasn't used it anywhere other than CRC / amazon. Just received the above e-mail and a goodwill voucher. Was a bit wary of buying from them again, but will definitely do so now - a really great response to something which probably wasn't entirely their fault.

Just thought I'd bump this thread as CRC have admitted they had a problem and have now put it right. To quote their response on another forum:

Hi Folks,

Since our last communication, we have continued to carry out a full forensic investigation following recent reports and concerns from our customers experiencing credit card fraud after placing an order with CRC.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

Recent customers of CRC may find that, as a precaution, their credit card company will issue a new card. Be assured that if this does occur it does not indicate that your details have been compromised.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

If you have further enquiries about this issue please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries [at] chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

Kudos for admitting fault, I say.

Rob

Good. I've just asked around family. Both my dad and his mate purchased stuff last month and both found someone charged the £30 of O2 Top ups to the both of them when non of them are on O2 and chain reaction are the only place they've made online purchases in the last few month

Well -

I've bought stuff from CRC recently,

AND I've also had my bank phone up to tell me that they've detected and stopped a dodgy transaction on my card. (Great service - they catch the transaction, then send you a new card right away).

But - the dodgy transaction was someone trying to buy a BED - yes really - for £300 from "Dreams PLC".

There's a Dreams bed showroom in Oxford - I've never been there, but i bet that's where they tried it on with my card details. So I doubt CRC's to blame.

Only thing that's odd is - i never use my credit card for purchases, except for online - so how did they get my details?

That's exactly why CRC need to be as up front as poss about what is going on – although maybe their hands are tied to some extent. From some of the comments on this and other forum threads suggest and from conversations Mark, who wrote the news story, has had with IT security types, it could well be that the focus of investigation is a security breach outside of CRC maybe at the credit card processing company which I suppose would make it more difficult for CRC to comment especially if there is a chance that it's all going to go legal which, you would assume, it will if they track down the source of the breach.

Two guys in my office have been done also. One got taken for the O2 vouchers like Demoff, the other unwittingly bought a fridge and two ipads! Fortunately I've been too skint to use CRC recently.

I won't condemn CRC until they figure out which part of the security chain got breached, but ultimately it may make me (and others no doubt) a little more reluctant to click 'buy' in the future.

My development 2 X £15 O2 Prepay Vouchers charged to my Debit Card yesterday confirmed this morning. Bank were fantastic money should be back today new card in a couple of days.

Due to being skint the 'only shopping' I have done online was an order with Chain Reaction at the end of February. Other than that my card was skimmed in front of my very eyes at the Supermarket.

Now we've got some facts, so now we've got a story

http://road.cc/content/news/33383-chain-reaction-cycles-acknowledges-cre...

We'll keep you posted on any developments

If you get malware on your PC at home that scans keystrokes for likely credit card transactions, and you're a keen cyclist, the chances are pretty good that the CC transaction will be at CRC, or Wiggle, or another big internet store.

Seems odd that there's not an equal number of complaints about Wiggle or Evans then really.

If it was news we'd publish a story, at the moment what we have here falls in to the category of gossip and supposition

Quick question though. At what point does all the gossip and supposition require some sort of comment by the cycling press? There's been surprisingly little coverage of the whole thing and although I appreciate that there's no concrete evidence, CRC are keeping resolutely quiet and for non-forum dwellers, there's no reason to even remotely suggest that people might want to consider, say, using PayPal for CRC purchases instead of credit cards for security purposes.

http://www.singletrackworld.com/forum/topic/crc-security-issues

Hello,

I live about a 15 minute drive from CRC and have always had the luxury of going to their showroom, drooling over their kit, before making any purchases. A couple of weeks ago, I did however buy something online. The voucher I had, had expired (my problem), but I paid for the goods in full.

Just today I got a letter from my building society telling me that there was an attempt to fraudulently use my card. The transaction in question was for a £30 O2 pay and go top up. A trend is emerging here.

I can understand if people use crap passwords, have no security controls on their PCs and tout all their personal info on Facebook/Twitter etc, then something is bound to happen. None of that applies to me in this case. The sadly ironic thing is that I work as an information security specialist in the financial services sector. I work a lot with all things credit card related - i.e. the Payment Card Industry Data Security Standards. At home, all I will say is that I run a fairly sophisticated setup security wise. Probably overkill in fact for a home set up.

My passwords are always complex in terms of length, use of alphanumeric characters and non-alphnumeric characters etc. All in all, I must have about 50+ passwords that I store in an encrypted password database (PasswordSafe - KeePass is equally as good). And I NEVER use the same password on multiple online accounts, much to the annoyment of my family. Security is about people, process and technology and I like to think that I practice what I preach. So without sounding arrogant, and impervious to criticism, I know what I am doing.

Whilst I have no idea about the Chainreaction IT infrastructure or that of its payment card services provider, it looks to me at this stage that there is some sort of 'man in the middle' attack going on. Frustrating, given that the connection between my computer and the Chainreaction site is encrypted. To me, this could possibly be a problem between the Chain Reaction website and also their credit card payment gateway. I just hope Chainreaction do not keep a trace of any credit card numbers on their own web servers.

All in all, this is definitely more than just a coincidence and/or a result of of poor security practices on the part of the customer. CRC, up to now is a brand that I have trusted. I have only good things to say about the customer service and I would be extremely reluctant to have to take my business elsewhere.

When I spoke to my building society, they told me that fraudulent transactions associated with O2 have been happening more recently. I then told their fraud team about this discussion thread for their review.

I will be talking to CRC tomorrow to take this issue further ..... I really do hope the problem can be quickly identified and fixed so that I can resume my custom with them. Meanwhile, my wife is going to have to give me some pocket money until the new card arrives!

Cheers,

Mooman

Quote:

I feel that there is something personal and slightly nasty about the above

i don't really think that's what he meant, Erneside, I think he was just saying he doesn't have any particular axe to grind.

The anecdotal evidence from the STW forum looks like a pattern, but the only pattern is that cyclists went to CRC and after that their cards were used fraudulently. That doesn't mean that CRC is to blame: their whole business model – and that of any online retailer – stands or falls on their reputation, and they go to great lengths to make sure their operations are secure.

Personal computers are much more likely to be compromised than the servers of big operations like CRC or Wiggle. If you get malware on your PC at home that scans keystrokes for likely credit card transactions, and you're a keen cyclist, the chances are pretty good that the CC transaction will be at CRC, or Wiggle, or another big internet store.

Sorry to dismiss paypal but my paypal account was hacked and taken for over $10,000. Paypal spotted the fact i started buying $1600 of online game credits every 30 secs and stopped payments. Had to go through 2 month investigation to prove I hadn't done this. Turns out forum I used stored my account details, I forgot to change password. Paypal is actually very easy to crack. I have since signed up to Paypal's additional security which is a two factor security card. Also if you use Visa sign up for 3d payment protection.

I've used CRC for several years and not had any problems. Always had very good service from them too.

I'd recommend using the Paypal option if you're worried about DD payments.

If it was news we'd publish a story, at the moment what we have here falls in to the category of gossip and supposition - the only actual facts are that some people have had unauthorised transactions on their credit cards and that there are a number of possible explanations one of which might, or might not, involve CRC.

If that changes you'll read about it on our news pages – whether CRC is an advertiser won't be a consideration because our reputation is worth more to us than a bit of ad revenue. Not that I think CRC would make any such connection – their reputation is obviously worth a great deal to them, as is Squadra's to him- so maybe we should all calm down on that score too. He was entitled to start the thread.

They should check their CCTV for any dodgy characters hanging around their offices...

(I'm not so worried about Sean. The person behind the camera on the other hand...)

If there is a problem with CRC, then it will show up as a pattern in the credit card companys' fraud monitoring systems. Personally I think it is unlikely that their (large, mature, and professionally run) website is insecure. What is more likely is that, as the world's largest online bike store, a number of people using them will also happen to be victims of credit card fraud. Human beings are wired to spot patterns. If you use CRC one day, then you have fraudulent transactions the next, it doesn't feel like a coincidence, particularly when you can go online on SingleTrack and find other people with the same experience. How many members does the SingleTrack forum have? What proportion of them use CRC? I read that 7% of card users in the UK suffered fraud in 2010.

If you are worried, you can always pay by PayPal on CRC (that way they never see your credit card details).

Malware on Windows PCs designed to capture credit card details entered on the keyboard is a real threat.

Correlation does not imply causation etc, but I happen to have made an order to CRC recently & then had a fraudulent transaction added to my, now cancelled, card. Then again I also used the card in my LBS as well as other online stores in the same timeframe.

There is no proof on the quoted thread that it was CRC where the details were taken. It could just as easily been my LBS or a number of other places. However it does serve as a reminder to check your statements, and thank the banks for their ability to spot fraudulent transactions. I mean why would I want to spend 2 grand at John Lewis Online?