Chain Reaction Cycles : credit card fraud

My very first post and it’s
:& My very first post and it’s not nice!

CRC still seem to have the problem. I had a quid taken out of my account as a charitable donation, then as above a £30 O2 voucher and then some scumbag paid Lambeth Council £1200 + £800 with my money!

Bank identified Chain Reaction Cycles as the culprits within minutes.

Last fraudulent transaction was 7th April so still going on I’m afraid.

Contacted CRC a few days ago – no reply yet. Keep you posted.

Paul

I had my credit card
I had my credit card cancelled due to fraudulent activity folowing several purchases from CRC … and despite emailing CRC, received no response and didn’t get any goodwill voucher. 🙁

I wonder how they decided on who to hand out vouchers to? In my case the fraudulent transaction was for a very expensive airline ticket, rather than O2 top ups, but the fraudsters no doubt tried different tactics and when attempts at larger transactions failed, they would then switch to less noticeable smaller transactions. I really doubt the fraud involved only O2 top ups and nothing else. :/

I am not impressed by CRC’s lack of response when I registered for updates when this issue was first reported on cycling websites. They completely ignored my emails. I only found out the security breach had been plugged by reading news updates on websites like this. Normally CRC’s service is pretty good … not impressed. 😕

I had a similar issue – my
I had a similar issue – my card was used to buy £20 O2 top up after buying from CRC. As it was a new card hasn’t used it anywhere other than CRC / amazon. Just received the above e-mail and a goodwill voucher. Was a bit wary of buying from them again, but will definitely do so now – a really great response to something which probably wasn’t entirely their fault.

Good. I’ve just asked around
Good. I’ve just asked around family. Both my dad and his mate purchased stuff last month and both found someone charged the £30 of O2 Top ups to the both of them when non of them are on O2 and chain reaction are the only place they’ve made online purchases in the last few month

That’s exactly why CRC need
That’s exactly why CRC need to be as up front as poss about what is going on – although maybe their hands are tied to some extent. From some of the comments on this and other forum threads suggest and from conversations Mark, who wrote the news story, has had with IT security types, it could well be that the focus of investigation is a security breach outside of CRC maybe at the credit card processing company which I suppose would make it more difficult for CRC to comment especially if there is a chance that it’s all going to go legal which, you would assume, it will if they track down the source of the breach.

My development 2 X £15 O2
My development 2 X £15 O2 Prepay Vouchers charged to my Debit Card yesterday confirmed this morning. Bank were fantastic money should be back today new card in a couple of days.

Due to being skint the ‘only shopping’ I have done online was an order with Chain Reaction at the end of February. Other than that my card was skimmed in front of my very eyes at the Supermarket.

If you get malware on your PC

If you get malware on your PC at home that scans keystrokes for likely credit card transactions, and you’re a keen cyclist, the chances are pretty good that the CC transaction will be at CRC, or Wiggle, or another big internet store.

Seems odd that there’s not an equal number of complaints about Wiggle or Evans then really.

If it was news we’d publish a story, at the moment what we have here falls in to the category of gossip and supposition

Quick question though. At what point does all the gossip and supposition require some sort of comment by the cycling press? There’s been surprisingly little coverage of the whole thing and although I appreciate that there’s no concrete evidence, CRC are keeping resolutely quiet and for non-forum dwellers, there’s no reason to even remotely suggest that people might want to consider, say, using PayPal for CRC purchases instead of credit cards for security purposes.

Hello,
I live about a 15
Hello,

I live about a 15 minute drive from CRC and have always had the luxury of going to their showroom, drooling over their kit, before making any purchases. A couple of weeks ago, I did however buy something online. The voucher I had, had expired (my problem), but I paid for the goods in full.

Just today I got a letter from my building society telling me that there was an attempt to fraudulently use my card. The transaction in question was for a £30 O2 pay and go top up. A trend is emerging here.

I can understand if people use crap passwords, have no security controls on their PCs and tout all their personal info on Facebook/Twitter etc, then something is bound to happen. None of that applies to me in this case. The sadly ironic thing is that I work as an information security specialist in the financial services sector. I work a lot with all things credit card related – i.e. the Payment Card Industry Data Security Standards. At home, all I will say is that I run a fairly sophisticated setup security wise. Probably overkill in fact for a home set up.

My passwords are always complex in terms of length, use of alphanumeric characters and non-alphnumeric characters etc. All in all, I must have about 50+ passwords that I store in an encrypted password database (PasswordSafe – KeePass is equally as good). And I NEVER use the same password on multiple online accounts, much to the annoyment of my family. Security is about people, process and technology and I like to think that I practice what I preach. So without sounding arrogant, and impervious to criticism, I know what I am doing.

Whilst I have no idea about the Chainreaction IT infrastructure or that of its payment card services provider, it looks to me at this stage that there is some sort of ‘man in the middle’ attack going on. Frustrating, given that the connection between my computer and the Chainreaction site is encrypted. To me, this could possibly be a problem between the Chain Reaction website and also their credit card payment gateway. I just hope Chainreaction do not keep a trace of any credit card numbers on their own web servers.

All in all, this is definitely more than just a coincidence and/or a result of of poor security practices on the part of the customer. CRC, up to now is a brand that I have trusted. I have only good things to say about the customer service and I would be extremely reluctant to have to take my business elsewhere.

When I spoke to my building society, they told me that fraudulent transactions associated with O2 have been happening more recently. I then told their fraud team about this discussion thread for their review.

I will be talking to CRC tomorrow to take this issue further ….. I really do hope the problem can be quickly identified and fixed so that I can resume my custom with them. Meanwhile, my wife is going to have to give me some pocket money until the new card arrives!

Cheers,

Mooman