Home

this story is appearing on other cycling media. CRC apparently has encountered fraudulent activity on its customers purchasing via its website. http://www.singletrackworld.com/forum/topic/crc-security-issues/page/1

35 comments

Avatar
Tony Farrelly [2868 posts] 5 years ago
0 likes

Well, probably more accurate to say that some people who use CRC are saying that they've suffered credit card fraud.

I haven't seen any reports that say that CRC has encountered fraudulent activity against its customers, (and I have asked them) plus I can't find any "media reports" I can find people talking about it on various cycling forums - which isn't quite the same thing. I'd have to say that there are also plenty of people saying they haven't had a problem and pointing out that given most people's level of card use it could quite easily be a coincidence.

Over the years I've been involved with a number of cycling forums and this has come up regularly - I can't recall an incident on which it subsequently turned out that an online cycle retailer was the root cause. I stand to be corrected, but as someone says on the Singletrack - you're much more likely to have your card skimmed at a petrol station.

Avatar
the_mikey [159 posts] 5 years ago
0 likes

Thinking about all the possible ways card details can be captured, it's not beyond possibility that some people may have malware designed to pick up exactly the kind of information that one might enter at the point of purchase in an online store, no matter how secure the connection to the store is, if the customers pc is compromised then that security is bypassed.

I had a card skimmed once in a Petrol station in Nice, but the bank stopped some suspicious transactions (starting off as itunes purchases and then attempts at large value purchases from Lebanon and Egypt).

Avatar
Tony Farrelly [2868 posts] 5 years ago
0 likes

@SQUADRA I did read the whole thread before posting my comment. I don't see anyone on there from CRC saying they have encountered fraudulent activity (maybe I missed that?) - I do see people on there who've suffered credit card fraud and who are suggesting a possible connection between that and the fact that they used their card to buy stuff from CRC… don't see any actual proof though.

Avatar
0liver [90 posts] 5 years ago
0 likes

Correlation does not imply causation etc, but I happen to have made an order to CRC recently & then had a fraudulent transaction added to my, now cancelled, card. Then again I also used the card in my LBS as well as other online stores in the same timeframe.

There is no proof on the quoted thread that it was CRC where the details were taken. It could just as easily been my LBS or a number of other places. However it does serve as a reminder to check your statements, and thank the banks for their ability to spot fraudulent transactions. I mean why would I want to spend 2 grand at John Lewis Online?

Avatar
cat1commuter [1421 posts] 5 years ago
0 likes

If there is a problem with CRC, then it will show up as a pattern in the credit card companys' fraud monitoring systems. Personally I think it is unlikely that their (large, mature, and professionally run) website is insecure. What is more likely is that, as the world's largest online bike store, a number of people using them will also happen to be victims of credit card fraud. Human beings are wired to spot patterns. If you use CRC one day, then you have fraudulent transactions the next, it doesn't feel like a coincidence, particularly when you can go online on SingleTrack and find other people with the same experience. How many members does the SingleTrack forum have? What proportion of them use CRC? I read that 7% of card users in the UK suffered fraud in 2010.

If you are worried, you can always pay by PayPal on CRC (that way they never see your credit card details).

Malware on Windows PCs designed to capture credit card details entered on the keyboard is a real threat.

Avatar
handlebarcam [653 posts] 5 years ago
0 likes

They should check their CCTV for any dodgy characters hanging around their offices...

(I'm not so worried about Sean. The person behind the camera on the other hand...)

Avatar
SQUADRA [5 posts] 5 years ago
0 likes

It makes no difference to me, whether CRC website or business practices are correct, flawed or compromised.
I dont have any reason or inclination, to buy from their website.

I felt the story was newsworthy on road.cc after all its a cycling news website, so figured its of relevance to its viewers.
Statistics can be stated to balance any degree of risk, or not, either way.
Similar to advertising budgets...

Avatar
cat1commuter [1421 posts] 5 years ago
0 likes
SQUADRA wrote:

It makes no difference to me, whether CRC website or business practices are correct, flawed or compromised.
I dont have any reason or inclination, to buy from their website.

After visiting your website, I certainly don't have any inclination to buy from it. It appears to be filled with empty pages and broken links.

Avatar
SQUADRA [5 posts] 5 years ago
0 likes

the news item here is CRC.

it was posted as a story which road.cc can report or not.

Avatar
Tony Farrelly [2868 posts] 5 years ago
0 likes

If it was news we'd publish a story, at the moment what we have here falls in to the category of gossip and supposition - the only actual facts are that some people have had unauthorised transactions on their credit cards and that there are a number of possible explanations one of which might, or might not, involve CRC.

If that changes you'll read about it on our news pages – whether CRC is an advertiser won't be a consideration because our reputation is worth more to us than a bit of ad revenue. Not that I think CRC would make any such connection – their reputation is obviously worth a great deal to them, as is Squadra's to him- so maybe we should all calm down on that score too. He was entitled to start the thread.

Avatar
SQUADRA [5 posts] 5 years ago
0 likes

it was a long thread on the forum.

Avatar
SQUADRA [5 posts] 5 years ago
0 likes

an unfortunate coincidence then

Avatar
cat1commuter [1421 posts] 5 years ago
0 likes
tony_farrelly wrote:

Not that I think CRC would make any such connection – their reputation is obviously worth a great deal to them, as is Squadra's to him - so maybe we should all calm down on that score too. He was entitled to start the thread.

Sorry. I was too aggressive. I loved the picture of pavé on the front of Squadra's website, and was disappointed when the rest of it appeared broken.

Avatar
michophull [135 posts] 5 years ago
0 likes

I've used CRC for several years and not had any problems. Always had very good service from them too.

I'd recommend using the Paypal option if you're worried about DD payments.  3

Avatar
madguern [25 posts] 5 years ago
0 likes

Sorry to dismiss paypal but my paypal account was hacked and taken for over $10,000. Paypal spotted the fact i started buying $1600 of online game credits every 30 secs and stopped payments. Had to go through 2 month investigation to prove I hadn't done this. Turns out forum I used stored my account details, I forgot to change password. Paypal is actually very easy to crack. I have since signed up to Paypal's additional security which is a two factor security card. Also if you use Visa sign up for 3d payment protection.

Avatar
cat1commuter [1421 posts] 5 years ago
0 likes
madguern wrote:

Turns out forum I used stored my account details, I forgot to change password. Paypal is actually very easy to crack.

Sorry, are you saying that you used the same password in an internet forum that you used for Paypal? That isn't actually an attack on Paypal.

Avatar
Erneside [2 posts] 5 years ago
0 likes
SQUADRA wrote:

It makes no difference to me, whether CRC website or business practices are correct, flawed or compromised.
I dont have any reason or inclination, to buy from their website.

I feel that there is something personal and slightly
nasty about the above. CRC are probably the best bicycle
related company I have dealt with.

Avatar
dave atkinson [6223 posts] 5 years ago
0 likes
Quote:

I feel that there is something personal and slightly nasty about the above

i don't really think that's what he meant, Erneside, I think he was just saying he doesn't have any particular axe to grind.

The anecdotal evidence from the STW forum looks like a pattern, but the only pattern is that cyclists went to CRC and after that their cards were used fraudulently. That doesn't mean that CRC is to blame: their whole business model – and that of any online retailer – stands or falls on their reputation, and they go to great lengths to make sure their operations are secure.

Personal computers are much more likely to be compromised than the servers of big operations like CRC or Wiggle. If you get malware on your PC at home that scans keystrokes for likely credit card transactions, and you're a keen cyclist, the chances are pretty good that the CC transaction will be at CRC, or Wiggle, or another big internet store.

Avatar
madguern [25 posts] 5 years ago
0 likes
cat1commuter wrote:
madguern wrote:

Turns out forum I used stored my account details, I forgot to change password. Paypal is actually very easy to crack.

Sorry, are you saying that you used the same password in an internet forum that you used for Paypal? That isn't actually an attack on Paypal.

Probably misleading, paypal not easy to crack but easy to socially hack by getting user details from website that offer little to no security. whilst the password was not hacked they used my email address to generate a new password as they had hacked my mail account. I have since changed my mail account to foward all mail to a different account and not to be delivered to mailbox.

I cannot say directly that the account was hacked in this manner but was one of the reasons given to me by paypal. I only used paypal for payments to cycle firms however. Once a user gets into paypal however very simple to clean out an account if not using two-factor authentication. If your e-mail account is hacked it is also easy to get information as well. How many people use public wi-fi hotspots !

The fact is 90% of people on the web use the same account across the board. Do you use a different password for every site and service ?

End of story , be careful

Avatar
cat1commuter [1421 posts] 5 years ago
0 likes
madguern wrote:

The fact is 90% of people on the web use the same account across the board. Do you use a different password for every site and service?

Yes, I do. I use a long, randomly generated password for each site. Passwords 12 characters or shorter can be vulnerable if the encrypted form of the password (which is what is typically stored on web servers) is obtained. I use a password manager (Keychain on my Mac) to remember the random passwords. There are password managers available for Windows too, such as KeePass, which includes a function which generates random passwords.

Avatar
Mooman16 [25 posts] 5 years ago
0 likes

Hello,

I live about a 15 minute drive from CRC and have always had the luxury of going to their showroom, drooling over their kit, before making any purchases. A couple of weeks ago, I did however buy something online. The voucher I had, had expired (my problem), but I paid for the goods in full.

Just today I got a letter from my building society telling me that there was an attempt to fraudulently use my card. The transaction in question was for a £30 O2 pay and go top up. A trend is emerging here.

I can understand if people use crap passwords, have no security controls on their PCs and tout all their personal info on Facebook/Twitter etc, then something is bound to happen. None of that applies to me in this case. The sadly ironic thing is that I work as an information security specialist in the financial services sector. I work a lot with all things credit card related - i.e. the Payment Card Industry Data Security Standards. At home, all I will say is that I run a fairly sophisticated setup security wise. Probably overkill in fact for a home set up.

My passwords are always complex in terms of length, use of alphanumeric characters and non-alphnumeric characters etc. All in all, I must have about 50+ passwords that I store in an encrypted password database (PasswordSafe - KeePass is equally as good). And I NEVER use the same password on multiple online accounts, much to the annoyment of my family. Security is about people, process and technology and I like to think that I practice what I preach. So without sounding arrogant, and impervious to criticism, I know what I am doing.

Whilst I have no idea about the Chainreaction IT infrastructure or that of its payment card services provider, it looks to me at this stage that there is some sort of 'man in the middle' attack going on. Frustrating, given that the connection between my computer and the Chainreaction site is encrypted. To me, this could possibly be a problem between the Chain Reaction website and also their credit card payment gateway. I just hope Chainreaction do not keep a trace of any credit card numbers on their own web servers.

All in all, this is definitely more than just a coincidence and/or a result of of poor security practices on the part of the customer. CRC, up to now is a brand that I have trusted. I have only good things to say about the customer service and I would be extremely reluctant to have to take my business elsewhere.

When I spoke to my building society, they told me that fraudulent transactions associated with O2 have been happening more recently. I then told their fraud team about this discussion thread for their review.

I will be talking to CRC tomorrow to take this issue further ..... I really do hope the problem can be quickly identified and fixed so that I can resume my custom with them. Meanwhile, my wife is going to have to give me some pocket money until the new card arrives!

Cheers,

Mooman

Avatar
peteimpreza [8 posts] 5 years ago
0 likes
Avatar
atlaz [184 posts] 5 years ago
0 likes

If you get malware on your PC at home that scans keystrokes for likely credit card transactions, and you're a keen cyclist, the chances are pretty good that the CC transaction will be at CRC, or Wiggle, or another big internet store.

Seems odd that there's not an equal number of complaints about Wiggle or Evans then really.

If it was news we'd publish a story, at the moment what we have here falls in to the category of gossip and supposition

Quick question though. At what point does all the gossip and supposition require some sort of comment by the cycling press? There's been surprisingly little coverage of the whole thing and although I appreciate that there's no concrete evidence, CRC are keeping resolutely quiet and for non-forum dwellers, there's no reason to even remotely suggest that people might want to consider, say, using PayPal for CRC purchases instead of credit cards for security purposes.

Avatar
Tony Farrelly [2868 posts] 5 years ago
0 likes

Now we've got some facts, so now we've got a story

http://road.cc/content/news/33383-chain-reaction-cycles-acknowledges-cre...

We'll keep you posted on any developments

Avatar
demoff [327 posts] 5 years ago
0 likes

My development 2 X £15 O2 Prepay Vouchers charged to my Debit Card yesterday confirmed this morning. Bank were fantastic money should be back today new card in a couple of days.

Due to being skint the 'only shopping' I have done online was an order with Chain Reaction at the end of February. Other than that my card was skimmed in front of my very eyes at the Supermarket.

Avatar
nellybuck@msn.com [168 posts] 5 years ago
0 likes

Two guys in my office have been done also. One got taken for the O2 vouchers like Demoff, the other unwittingly bought a fridge and two ipads! Fortunately I've been too skint to use CRC recently.

I won't condemn CRC until they figure out which part of the security chain got breached, but ultimately it may make me (and others no doubt) a little more reluctant to click 'buy' in the future.

Avatar
Tony Farrelly [2868 posts] 5 years ago
0 likes

That's exactly why CRC need to be as up front as poss about what is going on – although maybe their hands are tied to some extent. From some of the comments on this and other forum threads suggest and from conversations Mark, who wrote the news story, has had with IT security types, it could well be that the focus of investigation is a security breach outside of CRC maybe at the credit card processing company which I suppose would make it more difficult for CRC to comment especially if there is a chance that it's all going to go legal which, you would assume, it will if they track down the source of the breach.

Avatar
PJ McNally [591 posts] 5 years ago
0 likes

Well -

I've bought stuff from CRC recently,

AND I've also had my bank phone up to tell me that they've detected and stopped a dodgy transaction on my card. (Great service - they catch the transaction, then send you a new card right away).

But - the dodgy transaction was someone trying to buy a BED - yes really - for £300 from "Dreams PLC".

There's a Dreams bed showroom in Oxford - I've never been there, but i bet that's where they tried it on with my card details. So I doubt CRC's to blame.

Only thing that's odd is - i never use my credit card for purchases, except for online - so how did they get my details?

Avatar
David cycling t... [64 posts] 5 years ago
0 likes

Good. I've just asked around family. Both my dad and his mate purchased stuff last month and both found someone charged the £30 of O2 Top ups to the both of them when non of them are on O2 and chain reaction are the only place they've made online purchases in the last few month

Avatar
robert.brady [155 posts] 5 years ago
0 likes

Just thought I'd bump this thread as CRC have admitted they had a problem and have now put it right. To quote their response on another forum:

Hi Folks,

Since our last communication, we have continued to carry out a full forensic investigation following recent reports and concerns from our customers experiencing credit card fraud after placing an order with CRC.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

Recent customers of CRC may find that, as a precaution, their credit card company will issue a new card. Be assured that if this does occur it does not indicate that your details have been compromised.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

If you have further enquiries about this issue please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries [at] chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

Kudos for admitting fault, I say.

Rob

Pages