CRC Card Fraud Problems

Hail 2 Da Thief

It seems bizarre that CRC haven't at least sent an email to all customers notifying them of this issue! At least then people could keep an eye on their accounts.

smacl

blorg wrote: »

Yes, it is all just a huge coincidence, clearly that is the most rational explanation.

Maybe so, maybe not, correlation does not equate to causation. The voucher thing would raise suspicions with me. Say someone puts up a web site that looks like exactly like CRC but harvests credit card details, and then sends out vouchers by email that point to this web site rather than CRC. To the victim it looks like a security breach in CRC credit card handling, but this isn't the case. This is how most bank scams work; based on a mock-up site and email. The security leak in this case could be limited to getting a bunch of email addresses of people who by stuff from CRC.

For anyone who still has one of these £10 vouchers in their email, it would be worth having a look at the HTML source and specifically any HREFs, to see what sites they are pointing at. Note that fraudulent addresses usually look very similar to the correct address with either a minor spelling change or extra bit at the end.

And for a bit of related fun; http://xkcd.com/792/

oconnpad

I did mail CRC on it to let them know i've been hit with fraud and if there system was hacked then my details might have been got.
I'd a call from a CRC guy yesterday and he told me he'll keep me up to date with their own investigations into the matter.
My opinion is i think it's too much of a coincidence but that's me and until confirmation either way it is speculation.

The fraud team in MBNA rang me yesterday as well and said the 4 purchases were made within 2 hours of each other on saturday, they didn't keep spending on it so maybe they are clever enough to test for limits etc with their spending.

The main thing is your not out of pocket by these acts which is a good thing for customers but not for CC companies, but then that means it's a pain to have to redo everything.
My MBNA account had to be deleted, i've a new card on the way, plus update paypal and internet banking with new credit card details so i can pay but if you were liable for the amount as well that would be sickening.

blorg

smacl wrote: »

Maybe so, maybe not, correlation does not equate to causation.

No, correlation does not prove causation, but in the absence of another, more likely explanation, it does in this case suggest- on the balance of probability- that there is some problem related to CRC, or CRC's relationship with their card processor.

The voucher thing would raise suspicions with me.

There has been no indication that the voucher was a fraud- if it was people would not have received their deliveries from CRC (which they did) and CRC might have mentioned something about it being a fraud.

doozerie

blorg wrote:

I am skeptical that all recent CRC customers just happened to simultaneously get a CC-stealing virus, or were storing their CC number in their browser and all just happened to have their PCs individually hacked. None of this matters if the card details are hacked on CRC's back end.

So you are saying that "all recent CRC customers" had their credit card numbers exposed? On what evidence are you basing this? Sure there have been a few CRC customers posting on here and on other forums saying their cards have been compromised, but do you really believe that they account for all of CRC's recent customers?

Shout "CRC are the problem" loud enough though and people will believe it, clearly. Personally, I'll wait until some solid evidence comes to light before I'll assume that CRC is the site to be concerned about amongst the several that I myself have shopped on recently. Well actually, I'll never assume that any one site is a concern, I'll remain cautious when using any website, CRC's site included.

smacl

blorg wrote: »

There has been no indication that the voucher was a fraud

And it might well not be. Just another possible cause to eliminate. It is much easier to pretend to hack a site using a mock up than actually hacking a site, and hence the prevalence of this type of attack.

if it was people would not have received their deliveries from CRC (which they did) and CRC might have mentioned something about it being a fraud.

Mock ups, trojans and key loggers will often work as a thin front end to a site or application, passing though user input and returning site output. The site still works as normal and transactions get processed, the only difference being that a 3rd party gets all the details. CRC acknowledges that some of their customers have been victims of fraud, but they also state that they have yet to find a security breach in their own web site. (What else would they say).

All of the above is pure speculation of course. Just pointing out that what appear to be obvious conclusions in web security matters often don't pan out. I'm guessing most people here would immediately delete an email asking them to confirm bank details or acknowledge a lottery win, but how many will open an unsolicited CRC or Wiggle voucher?

blorg

I do not think it is necessary for "all recent CRC customers" to experience fraud to point to a problem with CRC. To my mind, a substantial number reporting the problem, with no other reported commonality, is enough to indicate that yes, on the balance of probability, CRC has a problem to do with credit card processing.

Put it this way, if I read this thread (and the many others on UK forums) I would not, right now, be buying anything off CRC with a credit card. I would consider using Paypal, where CRC don't get the card number at any stage.

blorg

@smacl- the voucher was widely publicised. If CRC didn't send it, and there was subsequently a massive credit card fraud relating to CRC, I think they would have mentioned by now that they didn't send it.

Also, while orders could have been processed using the scenario you describe, customers would not have received their £10 off.

Almost anything is a possibility but to survive in this world we have apply some level of cursory assessment of probability and discount the least plausible explanations.

smacl

blorg wrote: »

I would not, right now, be buying anything off CRC with a credit card. I would consider using Paypal, where CRC don't get the card number at any stage.

Absolutely agreed. But then where Paypal is an option, I wouldn't be in a hurry to put my credit card details into any site. It costs the vendor a few bob more, but is much safer for the consumer.

smacl

blorg wrote: »

to survive in this world we have apply some level of cursory assessment of probability and discount the least plausible explanations.

...and to beware of geeks bearing gifts

doozerie

blorg wrote: »

I do not think it is necessary for "all recent CRC customers" to experience fraud to point to a problem with CRC. To my mind, a substantial number reporting the problem, with no other reported commonality, is enough to indicate that yes, on the balance of probability, CRC has a problem to do with credit card processing.

Put it this way, if I read this thread (and the many others on UK forums) I would not, right now, be buying anything off CRC with a credit card. I would consider using Paypal, where CRC don't get the card number at any stage.

As regards no other commonality, this may simply be because that aspect has not been discussed at all. The focus has been entirely on CRC and where people have said "me too" very few of them have mentioned other sites they've shopped in recently (and again, "recently" is an extremely vague term here too as amongst other things no-one knows how long ago all of these credit cards were actually exposed). If I were to start a thread today saying that I'd bought from Wiggle recently and that my credit card details have been used by someone else since, I suspect that this would attract some "me too" posts as well - that would clearly not prove that Wiggle was the source of the leak.

And as regards using PayPal, buying from CRC only via PayPal is a very sensible precaution, but no more so now than at any time in the past. If your card has been compromised though, and you subsequently submit your new card details to some other site that you've shopped in before, where PayPal was an option that you chose not to use, then that's taking an unnecessary risk and the more that people claim that CRC is the cause of the problem in absence of real evidence, the greater the likelihood that people will unthinkingly take that risk and potentially feed their new card details to a potentially compromised site.

As I mentioned in a previous post I don't believe PayPal to be immune to compromise either. Their big advantage to me is that they have procedures in place to deal with issues that arise, which may not be the case for some online retailers. Paying via PayPal invariably costs me a little more, due to poorer exchange rate being applied on foreign currency purchases but that's a price that I am willing to pay usually.

doozerie

Incidentally, I've received two e-mails in the last few days from Play.com stating that some of their customers have recently received spam mails to e-mail addresses that those customers had used exclusively for play.com. They say they've investigated, that they've found no evidence of a compromise, but that "We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop". I wonder if any affected CRC customers shopped at play.com in the last few months? That could be the topic of a whole new thread pointing the finger at play.com, but to my mind it is equally as pointless as pointing the finger at CRC right now.

blorg

@doozerie- which scenario do you see as more probable: (1) this fraud is related to CRC purchases in some way, or (2) this fraud is unrelated to CRC in any way?

doozerie

blorg wrote:

@doozerie- which scenario do you see as more probable: (1) this fraud is related to CRC purchases in some way, or (2) this fraud is unrelated to CRC in any way?

I see them as being equally probable. Which is why I'll continue to be cautious about buying online from any website, including CRC.

ednwireland

play.com been hit now

http://www.bbc.co.uk/news/technology-12819330

sorry doozerie just saw your post

julio_iglayzis

doozerie wrote: »

but to my mind it is equally as pointless as pointing the finger at CRC right now.

I can't understand how you're saying that.
I mentioned a couple of pages back that I have made six transactions on my credit card this year - five of them were with CRC and one was with iTunes - and that my card was hit.
I rang CRC yesterday to give them any information I could, and they are now more-or-less openly admitting that it was a problem with their website.

Canis Lupus

doozerie wrote: »

I see them as being equally probable. Which is why I'll continue to be cautious about buying online from any website, including CRC.

That's an email breach. Be cautious, it's up to you but when card fraud is solely reported by people who have ONLY used CRC then you make me :rolleyes: by suggesting it might not localised to CRC.

doozerie

Canis Lupus wrote:

That's an email breach. Be cautious, it's up to you but when card fraud is solely reported by people who have ONLY used CRC then you make me by suggesting it might not localised to CRC.

Huh? Yes the play.com issue is a (claimed) e-mail breach, as I mentioned in my own post. And they've admitted that it happened. On the other hand, CRC have admitted nothing yet, suggesting that either they were not hacked or that they are lying - there remains no proof to support either suggestion as yet. And if CRC are such blatant liars, then who is to say that play.com are any more honest (i.e maybe play.com did leak credit card details too, despite what they say), or any other online retailer for that matter who might know that their own systems have been compromised and are happy to sit back and let people focus their ire on CRC instead.

And as for your reference to the fraud being reported "by people who have ONLY used CRC": firstly, who are these people who used their credit card only on CRC's website as I've not seen hordes of them in the online stuff I've been reading. Secondly, even if your credit card was used only on CRC's website, that does not rule out the possibility of the compromise happening either in your credit card provider's systems or elsewhere (I honestly don't know what systems VISA themselves maintain and I suspect many people are equally unsure).

This entire thread has grown from someone saying that they shopped at CRC and their credit card has been compromised, to people adamantly declaring that CRC are without doubt the source of the leaked details. On the basis of nothing more than some other people saying that they shopped there too "recently". That's an impressive leap. What next, break out the torches and pitch forks and head up north to hand over a strongly worded letter to the dastardly management of CRC?

blorg

@doozerie- you are twisting things and mischaracterising the arguments.

1. No one said it is CRC "without a doubt." People have said it is the most probable explanation. You seemingly deny this but dont have a more probable explanation. Your 'without doubt' is a standard used in about one place only, ie criminal trials. Most decisions made by humans are on the basis of probability.

2. You posit a false dichotomy: either it is nothing to do with CRC or they are devious liars. There is a third option: CRC have been hacked but they dont yet know how, or the full extent. Having worked on the receiving end of a hack myself, you do not just know exactly what happened instantly the minute the evidence points to a breach. It is more often the case that you only figure this out after a painstaking investigation... and even then you may never figure out exactly how much they got away with.

smacl

With regards to owning up, I seriously doubt CRC, Play.com, or any other business depending on internet orders for their livelihood, would admit fault. Less damaging to keep it a bit hush, sweep it under the carpet asap, and get back to business as normal. The brown stuff will be sticking to them as long as it remains an active topic of discussion, and consumer confidence is hugely important to these businesses.

My sympathies to any boardsies that lost any dosh in this incident. Having been scammed in the past I know how unpleasant this is, probably even more so now in these harsh times.

And in addition to using paypal, I'd advise anybody against buying anything by following a click from any HTML email, even it's if from your granny.

Beasty

smacl wrote: »

even it's if from your granny.

Wouldn't trust anything I received from either of my grannies ...

TheWarrior

Bought Road slicks for my mountain bike on March 11 from CRC, got the letter from bank of ireland yesterday about suspicious transactions. Rang them last night someone had tried to buy something from "ali baba technologies". Need less to say card is cancelled. That was only time I used credit card since about last september when I signed up for dublin marathon.
Hope they sort out the breach cause I was always happy with CRC.

doozerie

@blorg, I don't deny that CRC are the source of the leaked credit card information, I challenge the assertion that they are definitely the source (yes, that has been asserted). I've already given an equally probably explanation, which is that some other retailer/bank/whatever is the source. If you want a "more probable" explanation then don't look to me for one because to my eyes there is not enough evidence as yet to point at any particular source of the leak.

All of this discussion is entirely moot anyway, of course. Those believing CRC to be the source of the leak already have an option, PayPal, that allows them to continue to shop "safely" with CRC despite their belief of CRC being at fault. My point, such as it is, is that as already mentioned more than once PayPal is arguably a "safer" bet on any website where that option is presented so don't delude yourself that continuing to provide your credit card details directly to other online retailers (rather than taking the PayPal checkout option) is a safe bet simply because you are convinced that CRC is the site at issue in this case.

cython

Well, add me to the list of people who seem to have been hit by this Just off the phone to the bank a while ago, and it seems there were a rash of transactions in the last 24-36 hours, none of which were actually mine. Oddest one was for over €1100 when my credit limit (student card) is about 850!

Drapper

me too! AIB spotted a number of transactions in the last 2 days, and one in the last hour!
these people are in Ireland but would not say where!
seems they tried to use FEdex to get the goods!
almost 1k used. mostly clothing in US and UK and mobile phone stuff

C3PO

Just rang the CC company just to be on the safe-side and somebody had a go putting €800 through at 11pm last night! Thankfully my credit card is always "sailing close to the limit" and it was rejected! I think if anyone used a card with CRC over the period in question they might be well advised to just cancel the card and get a new one!

gaffmaster

Was having a gander at my online account balance and noticed a fraudulant transaction. Card is cancelled now. And the fraud department informed.

They'd maxed out my card - not all transactions went through. Terrible stuff. But I'll get it all refunded.

julio_iglayzis

Just got a mail from CRC acknowledging that their website was indeed attacked, which should surprise nobody.
There's a 30 quid voucher included by way of apology.

groovyg

I'm not sure I would trust it considering that alot of people got scammed as a result of the £10 quid off voucher.

oconnpad

julio_iglayzis wrote: »

Just got a mail from CRC acknowledging that their website was indeed attacked, which should surprise nobody.
There's a 30 quid voucher included by way of apology.

Yeah i just got the same, here is the text for anybody interested.

Hi,

Following your recent contact with us and concerns about having experienced credit card fraud, we are pleased to be able to give you further feedback.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

We would like to offer you, by way of an apology, a £30 on-line voucher for use when you next come back to shop with us. The activator for your voucher is the email address you have received this email to. Simply input your email address into the e-voucher code box at the checkout to receive the discount.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

Thanks again for your patience and support,

Michael Cowan

CRC Senior Management

julio_iglayzis

groovyg wrote: »

I'm not sure I would trust it considering that alot of people got scammed as a result of the £10 quid off voucher.

I didn't use the voucher and I got scammed anyway, I wouldn't say that it was the point of failure.

cython

julio_iglayzis wrote: »

I didn't use the voucher and I got scammed anyway, I wouldn't say that it was the point of failure.

Not to mention that if you have any doubts (which I have to admit I still do), paying by Paypal is still apt to be (more) secure. I emailed them today following my conversation with the bank yesterday, so I wouldn't mind a similar voucher as a means to make up for it!

AstraMonti

It's probably bad publicity for them, but they should have communicated that to all customers that have purchased in the last 15-20 days with a credit card.

doozerie

AstraMonti wrote:

It's probably bad publicity for them, but they should have communicated that to all customers that have purchased in the last 15-20 days with a credit card.

More specifically, they should actually give some indication of when they believe the "issue" started and ended. Their vague reference to "recent weeks" doesn't help narrow down the period at all so there may be quite a few people left not knowing whether their card details were never harvested or whether their details simply haven't been used by the scammers as yet. That's basically a poor response by CRC.

julio_iglayzis

doozerie wrote: »

More specifically, they should actually give some indication of when they believe the "issue" started and ended. Their vague reference to "recent weeks" doesn't help narrow down the period at all so there may be quite a few people left not knowing whether their card details were never harvested or whether their details simply haven't been used by the scammers as yet. That's basically a poor response by CRC.

+1
Completely agree, it raises more questions than it answers.

AstraMonti

I sent em an email asking for specifics, we ll see what it will come out of it.

macadam

CRC, seem to be a bit of a disaster recently, I purchased a saddle on 10/3/11 and still have not received it 14 days later, wonder will I get a €30 voucher, I doubt it.

smacl

Similar issue here, waiting for new tyres and a chain, notified of being dispatched over a week ago. Last time the delay between dispatch and delivery was two days. I've contacted their customer support and was told the the free delivery service (Royal Mail) did not have an option for tracking and to get back onto them if I have not received my goods within another 15 days.

Diego Murphy

Yeah my boi card got done today. Security phoned and there was a couple of k in transactions for things like clothes. I've emailed Chain reaction bout it.

Captain Havoc

I ordered stuff this week and I've already received it. I contacted my cc company (MBNA) and told them about the CRC thing, which they were not aware of.

oconnpad

My last item i bought from CRC was 24th Feb but my card only got used on 19th March for fraud.
They said cards were stolen in realtime so i can only assume my details have been in their hands since the 24th Feb or earlier.

I don't think it's overreacting to say if you bought from CRC in Feb / Mar this year and gave them your CC details and not paypal it might be worth cancelling your card as precaution. It will be a bit of a pain but should give you piece of mind so your not checking your CC all the time

dub50

purchased end of Feb on CRC and had a fraudulent transaction on my visa card for o2 in the uk for £140 yesterday

Oldlegs

Purchased tyres, shoes etc. from CRC on Wed. Parcel Force tracking system shows that they were received yesterday and loaded onto van for final delivery today (Friday).

Hopefully the delivery problems reported in some posts were one-off issues.

That said, will be keeping close track of my CC.

fergalr

Had a call from the credit card company a few hours ago, about some fraudulent transactions trying to go through today.

It just so happens that over the last few months, my only purchases have been with big entities (apple, amazon, paypal) and with Chain Reaction Cycles.

I'm very careful with my credit card, and the problems almost certainly weren't at my end (I'm pretty computer security conscious, have worked in the area).

In balance of probability, it seems highly likely the card was compromised at Chain Reaction Cycles, or upstream of them.


I am annoyed to discover the widespread reports of fraud, on this and other forums.

While no one can build a payments system that can't be compromised, I was particularly annoyed to see that CRC have been quoted acknowledging this issue, on various online forums, up to a week ago, and yet they have issued no e-mail warning, and no statement on their website.


I've shopped with them for ages, and like the company a lot.
But this sort of incident management is horrifically poor.

You should email your customers in the event of a suspected breach, and certainly a confirmed one.

For example, this stands in stark contrast to the prompt and transparent incident management displayed when boards.ie was hacked, where they took the site down, until they could confirm the problem, and started e-mailing everyone to let them know.

Hail 2 Da Thief

dub50 wrote: »

purchased end of Feb on CRC and had a fraudulent transaction on my visa card for o2 in the uk for £140 yesterday

Yet CRC still haven't informed customers (via email) about the issue. Ridiculous!

Oldlegs wrote: »

Hopefully the delivery problems reported in some posts were one-off issues.

Everytime I've ordered stuff from there it has taken only a couple of days for it to be delivered.

smacl

Hail 2 Da Thief wrote: »

Everytime I've ordered stuff from there it has taken only a couple of days for it to be delivered.

Me too, yet now I'm waiting for two orders, one which was dispatched on the 16th, the other the 22nd. I've followed up on the earlier order, reply below. Coincidence?

tbh, anything up to a couple of weeks is to be expected with parcel mail, so its no biggy. Just that orders from CRC have been so prompt in the past. Could be that they have downgraded the free delivery service as a cost saving measure, although if its untracked and slower I can see it upsetting a fair number of customers.

Please accept our apologies that you have not received your parcel. It has been sent on 16/03/11 Royal Mail International which is normally a fast and reliable service but unfortunately delays can sometimes occur. Please note this service can no longer be tracked online as we no longer receive
shipping references.

At this stage we would ask that you contact your neighbours to see if they have taken delivery of a parcel in your absence. It may also be worthwhile contacting your local sorting office and customs office to see if perhaps the parcel is there awaiting collection.

If none of these results in you receiving your parcel please allow 15 working days from the date of posting and then contact us to let us know that the parcel has still not arrived. At this point we will be able to send a replacement.

Once again please accept our apologies for the delay and any inconvenience caused.

Please note Royal Mail International is not a tracked service

Oldlegs

smacl wrote: »

Just that orders from CRC have been so prompt in the past. Could be that they have downgraded the free delivery service as a cost saving measure, although if its untracked and slower I can see it upsetting a fair number of customers.

Order went in on Wednesday evening.
Arrived Friday afternoon to Wicklow.
Tracked package online - so no worries there either.

All perfect.

{That said, will use Paypal next time }

smacl

Oldlegs wrote: »

{That said, will use Paypal next time }

And I'll cough up the few extra bucks for a tracked service. Shame, as I was really starting to like CRC. Must make more of an effort to get off my fat ass and get back down to the LBS when I need gear. The interweb is just way too easy...

Ricky91t

I ordered a helmet off CRC on about 1am Wednesday Morning, had the helmet 10am on Thursday morning which was impressive! < That was sent by courier.

Then I needed goggles, Ordered them through Paypal this time to be safe, Ordered them on a Sunday to give 5 working days for processing/delivery. They were shipped Monday (1:40 pm) by royal mail but I still haven't got them! Either CRC are lying or RM in the north is crap. I've received parcels from London quicker!

andysheehan2003

hi lads,
first off dont know if this is coming from crc but ive just been stung for 1500 from my debit card:eek:.... just a word of warning that it is still happening ... i havent used crc since 10th jan so cant say for sure if its from there... under investigation by bank at the moment
just wanted to give this a bump to make people beware that its still ongoing so keep an eye on all your accounts paypal credit and debit cards...