CRC Card Fraud Problems

C3PO · 08-03-2011 8:26pm #1

There seems to have been some issues with CRCs security system last week with a number of people having card details stolen. It appears to have been around the time of the €10 voucher so worth checking if you made a purchase!
I did but everything seems to be ok!

http://www.bikeradar.com/forum/viewtopic.php?t=12762610&postdays=0&postorder=asc&start=0

http://www.southerndownhill.com/forum/index.php/topic,244075.0.html

Icyseanfitz · 08-03-2011 11:39pm

im using paypal so hopefully thats grand

Hail 2 Da Thief · 08-03-2011 11:44pm

Icyseanfitz wrote: »

im using paypal so hopefully thats grand

Yeah I used Paypal also. Checked my account & thankfully didn't find any strange transactions.

brayblue24 · 08-03-2011 11:48pm

Likewise appreciate the warning. I have a pump and pedals on order, checked the card and all clear thankfully

doozerie · 09-03-2011 12:25am

There have been threads on the BikeRadar forum before where people alleged that their credit card details had been exposed by shopping on one retailer's website or another (on at least one occasion Wiggle was being blamed). The fact of the matter though is that usually no-one can possibly know for sure how or when their credit card details were compromised. It might well have been via CRC/Wiggle/whoever or it might be entirely coincidence that a bunch of people whose details were compromised also happened to buy from one of those sites "recently" - the likes of CRC and Wiggle presumably do a lot of business and therefore have a lot of customers, similarly the number of victims of credit card fraud (via any website, store, server, etc.) on any particular day are probably very high, the chances of the two groups overlapping seem reasonably high.

So, I wouldn't assume that CRC were the source/cause of the credit card details being exposed simply on the basis that people whose card details were compromised happened to have shopped there recently. Of course, it certainly pays to check your credit card account regularly, and it is always worth considering using Paypal when buying online. The only downside to Paypal that I have experienced is that their currency exchange rate is not great and you invariably pay a little more than you would by paying direct to the retailer, but usually I can live with that for the added peace of mind. That added peace of mind is not a belief that Paypal can't be hacked, incidentally, as I don't believe any service is entirely immune from that, but they have well established procedures for dealing with issues when they arise.

Ricky91t · 11-03-2011 9:48pm

Found this on MBCC.ie, You might want to read the larger thread here:

http://www.bikeradar.com/forum/viewtopic.php?t=12762610&start=60&postdays=0&postorder=asc&highlight=

CRC Team wrote:

Hi everyone,

Apologies for the delay in responding to the concerns you have expressed. We do take your comments very seriously and we understand the worry and frustration caused by credit card fraud. We would emphasise that the number of concerns brought to our attention is a tiny fraction of the number of transactions that we process on a daily basis, but no stone will be left unturned in our investigations.

Our own infrastructure is routinely and independently tested and we are confident that it is robust. We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC.

We will update you with further information as and when we have it. In the meantime, if you are a customer of CRC and have been recently affected by any of the matters discussed, please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

The CRC Team

Beasty · 11-03-2011 10:11pm

Threads merged

Beasty

Ricky91t · 11-03-2011 10:15pm

Beasty wrote: »

Threads merged

Beasty

Apologies, I only looked on the first 2 pages(either that or I missed it!).

mc2000 · 13-03-2011 12:26am

I just got contacted by Bank of Ireland, and my cards been hacked as well. I used CRC with that EUR10 voucher.

What the hackers that got my cc number probably did is get the card, and then wait for a bit / few days /week, and then today there was a spate of activity for internet purchases attempts [unbeknown to me].

The first fraudulent internet purchase in that spate has gone thru, just over EUR500, and then there were about 4 internet purchase attempts for 300-400 which got blocked by Bank of Ireland as suspicious activity and must have flagged on their systems, which prompted them to ring me.

Hopefully that first internet purchas even though it went thru will be agreed as fraud, 'cos I'd be fairly miffed if I'd to cough up for it....

So lads and lassies, check your recent card activity.....:mad:

doozerie · 13-03-2011 12:40am

Something to remember is that people fraudulently using your card probably don't know the credit limit on it, so when using your card details they are likely to start with a low- to medium- cost purchase and then follow that up with several more similar or increasingly larger purchases until they hit the credit limit. So any odd transaction on your card, no matter how small (a tiny purchase might be used just to verify that the card details are usable at all), should trigger alarm bells.

Incidentally, I've had a card hacked in the past, with two expensive purchases made right up to the credit limit and a third sizeable purchase blocked because it exceeded my limit. As soon as I saw it (I check my online credit card account frequently) I contacted the bank and they cancelled my old card and issued a new one. I had to fill in and sign a form stating that the fraudulent transactions were not mine and the bank then cancelled the charges on my account too. The fraudulent transactions were online ones so the retailer would have had a delivery address for the goods bought - I asked the bank if they would pursue this with the gardai given that they had at least some lead to follow but I'm not at all convinced that they did. No harm asking your bank whether they will contact the gardai though, maybe something will actually come of it.

mc2000 · 13-03-2011 8:51am

thanks for that - yeah I'll be filling out those fraud forms with BOI and I certainly hope they pass it over the the Gardai - the internet sites were all outsite Ireland though - I certainly hope BOI get rid of that charge off the card.

I was actually watching the card quite a bit since this thread raised this issue, and even as recent as yesterday morning there hadn't been anything dodgy on it that I could obviously hear [using the phone banking 365] so I hope no more dodgy stuff shows up when I see the printed statement.

Peterx · 14-03-2011 11:01am

had to cancel my credit card this morning, fraudulent activity in the UK. My recent purchases indicate either chain reaction or stena line although obviously I can't know for sure.
As others say, check your card frequently or shop local maybe..

Donie75 · 15-03-2011 7:47pm

Has anyone else had any problems with this?
I just got a call from BOI Credit Cards to say my card was hacked and someone tried buying €320 worth of shoes in an online shop in London.
Thankfully they blocked the payment.
I can't be sure if this is related to CRC but i did buy new tyres off them the week this came to light.
My advise would be to check you CC transactions, just in case.

zzzzzzzz · 15-03-2011 8:30pm

I also got a call from card services this morning. Two transactions for gift vouchers put through - totalling about €1k

rebel.ranter · 15-03-2011 8:30pm

I recently used my card on CRC & shortly afterwards the card was hacked. There was a few bets made on Betfair, a couple of hundred euro at a time, other online purchases again a few hundred here & a few hundred there. BOI credit card services spotted it immediately, had the transactions cancelled & CR card changed.
Not saying it is directly linked to CRC but it was close to the timelines of my purchase.

uberwolf · 15-03-2011 9:55pm

I have stuff sitting in my basket that I need...

paypal?

route66 · 15-03-2011 10:22pm

uberwolf wrote: »

I have stuff sitting in my basket that I need...

paypal?

I use paypal for CRC purchases all the time; no problems!

Rein-in · 15-03-2011 10:45pm

I bought stuff on CRC through the £10 voucher offer the week before last and my card got hit for 1300 odd Euro of online purchases today. Some designer stuff, a Dell PC and some gift vouchers.

The card company have just been on and the card is cancelled. :mad:

Beware!

Raam · 16-03-2011 11:58pm

I just got a call from boi. Same deal. Card now blocked.

Lumen · 17-03-2011 8:26am

I bought something from CRC using AIB VISA on 04/03/11 and no fraud yet.

Raam · 17-03-2011 8:28am

They are probably routing through your shed right now.

Lumen wrote: »

I bought something from CRC using AIB VISA on 04/03/11 and no fraud yet.

blorg · 17-03-2011 8:34am

Conversely, I haven't bought anything from CRC with my AIB Visa and no fraud yet.

Lumen · 17-03-2011 8:38am

blorg wrote: »

Conversely, I haven't bought anything from CRC with my AIB Visa and no fraud yet.

Dude, are you being sarcastic? I don't even know any more.

Anyway, point is, does anyone know if this is actually linked with CRC? They do a massive amount of business. Seems like more of a BOI issue from the anecdotes.

Raam · 17-03-2011 8:43am

My own latest usages were crc, aer lingus and dunnes. The dunnes was chip and pin.

Cabaal · 17-03-2011 8:55am

Kind of worried about this now as I used my Laser card on CRC the other day for a few items, normally use Paypal but didn't want the money to come off my credit card.

Canis Lupus · 17-03-2011 9:56am

Was this issue related to a specific day or is it still ongoing?

Junior · 17-03-2011 1:50pm

More details on uk fraud as well

http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/?utm_source=twitterfeed&utm_medium=twitter

julio_iglayzis · 18-03-2011 10:03am

Lumen wrote: »

Anyway, point is, does anyone know if this is actually linked with CRC? They do a massive amount of business. Seems like more of a BOI issue from the anecdotes.

Well, of the 6 transactions I've made on my BOI card this year, 5 of them were with CRC, the other was an iTunes purchase. I last used my card on CRC on the 28th Feb and I haven't used it since. I don't use the cash advance facility at ATMs either.
I checked my online statement this morning and there was a 253 euro transaction from the 16th of March that was not made by me. My bank have helpfully informed me that "it does indeed look like fraud".
I've had to cancel my card and I'll be using paypal from now on.

oconnpad · 20-03-2011 10:19pm

I seem to have been caught here as well.

I've had same MBNA credit card for 15 years without issues and yesterday have had 2 grand in 4 purchases put on it.
I used CRC twice in feb, might or might not be linked but i tend to think it's too much of a coincidence.
http://www.theregister.co.uk/2011/03/17/cc_fraud_follows_bike_store_purchases/?utm_source=twitterfeed&utm_medium=twitter

Dr_Colossus · 20-03-2011 10:46pm

I made a couple of purchases in Feb from CRC but none relating to any €10 bonus offer. I checked my AIB credit card transactions this week and saw one unrecognised amount for €17 for daft.ie which was not made my me. I informed AIB and they thought it was odd as hadn't seen daft.ie used before as a depository for any fraudulent claims. None the less had to block the credit card as a precaution in case larger amounts came later.

oconnpad · 20-03-2011 10:55pm

I didn't use any of the voucher stuff either with them, i just bought a couple of tops straight up.
My fraudulent transactions are still in pending but i rang MBNA straight away who told me were each of them are.
Card is cancelled and fraud team are ringing me back on it. I'm kinda surprised MBNA didn't ring about unusual activity on account as i've had them ring me in the past when i've made genuine big purchases kinda out of character with my account.

I think it's worth keeping an eye on your cards on a daily basis or ask credit card company to watch your account for unusual behaviour.

Some other stuff on it.
http://www.southerndownhill.com/forum/index.php/topic,244075.210.html

macadam · 20-03-2011 11:27pm

There is something wrong at crc, I purchased a saddle last week, it arrived friday but when I opened it, it turned into a pair of socks for some guy in Drumfries scotland.

blorg · 21-03-2011 5:10am

Dr_Colossus wrote: »

unrecognised amount for €17 for daft.ie which was not made my me. I informed AIB and they thought it was odd as hadn't seen daft.ie used before as a depository for any fraudulent claims.

Daft is odd as most of the other fraudulent transactions have occured in the UK. You didn't buy anything from Boards? That would come up as Daft.

Dr_Colossus · 21-03-2011 8:50am

blorg wrote: »

Daft is odd as most of the other fraudulent transactions have occured in the UK. You didn't buy anything from Boards? That would come up as Daft.

No, haven't purchased anything on Boards, only have a handful of transactions in the past couple of months and can account for them all apart from the daft.ie transaction. It's odd alright as I haven't even logged into daft.ie in over 6 months and have never given them my credit card details and no one else has access to my credit card. My initial inquiry with AIB is that they were only able to see it as an online transaction, I therefore presume that they will be able to track the IP address the transaction was made from.

Keep_Her_Lit · 21-03-2011 8:58am

My credit card account has been blocked this morning. An attempted transaction for 0.00 was flagged as suspicious; it may have been someone testing the card before making a real purchase. I've also made recent CRC purchases using my CC. Check your accounts regularly!

mloc123 · 21-03-2011 9:41am

Dr_Colossus wrote: »

No, haven't purchased anything on Boards, only have a handful of transactions in the past couple of months and can account for them all apart from the daft.ie transaction. It's odd alright as I haven't even logged into daft.ie in over 6 months and have never given them my credit card details and no one else has access to my credit card. My initial inquiry with AIB is that they were only able to see it as an online transaction, I therefore presume that they will be able to track the IP address the transaction was made from.

Boardsdeals by any chance?

oconnpad · 21-03-2011 10:04am

blorg wrote: »

most of the other fraudulent transactions have occured in the UK.

I'd both transactions in UK and Ireland, 2 in each country.

Dr_Colossus · 21-03-2011 12:18pm

mloc123 wrote: »

Boardsdeals by any chance?

Oh crap you're right, purchased a boardsdeal recently alright. Better inform the bank, any idea why they show up as daft.ie and not something like boardsdeals.ie or even boards.ie. The daft piece really threw me off.

blorg · 21-03-2011 2:11pm

Boards is owned by Daft.

Lumen · 21-03-2011 2:18pm

blorg wrote: »

Boards is owned by Daft.

Didn't Daft just take a minority stake?

TiTo13 · 22-03-2011 5:39pm

I also got caught out on this, checking my credit card today, apparently they bought train tickets with SNCF, so it isn't limited to UK and Ireland. Wasn't happy that CRC didn't inform their customers about this.

doozerie · 22-03-2011 8:24pm

TiTo13 wrote: »

Wasn't happy that CRC didn't inform their customers about this.

Why would they? It seems to be nothing more than speculation so far that CRC were the ones who exposed/lost the credit card details. I've certainly seen nothing that verifies this theory.

route66 · 22-03-2011 10:50pm

doozerie wrote: »

Why would they? It seems to be nothing more than speculation so far that CRC were the ones who exposed/lost the credit card details. I've certainly seen nothing that verifies this theory.

Good point. I've just heard of multiple cases of fraud at a well known internet retailer. I won't mention their name, but it sounds just like what we are reading about in this thread.

If this is true, then it would sound like a "leak" somewhere else in the payment system and not at the retailer level. :eek:

Peterx · 22-03-2011 11:30pm

doozerie wrote: »

Why would they? It seems to be nothing more than speculation so far that CRC were the ones who exposed/lost the credit card details. I've certainly seen nothing that verifies this theory.

CRC sending emails promising more information once they have it would appear to be slightly more then speculation.

doozerie · 23-03-2011 12:05am

Peterx wrote: »

CRC sending emails promising more information once they have it would appear to be slightly more then speculation.

The only mention that I have seen of CRC making any comment on this issue was in an article (in The Register) linked to earlier in this thread where they said that they didn't believe their systems had been compromised but that they had started an investigation. Seems to me like a perfectly reasonable response to the rampant speculation/hysteria claiming that CRC are the source of the problem. If CRC made no response at all then this would confirm in the minds of many that they really are the source of the problem, so they are damned either way and on the basis of nothing more than speculation.

It may well prove to be the case that CRC are the source of the problem, but there are as yet no hard facts that I have seen to support that view. If they are not the source, then people might continue to casually use the real problematic site/systems that are compromised even as they proclaim their intention to never use CRC again. The truth of the matter is that any retailer that accepts credit card payments, online or otherwise, is liable to compromise and they should all be treated with equal care and attention when using them. So every time you pay online, even if it is to a site that you have come to trust, make sure that the URL of the site looks correct, that your session is encrypted (look for the closed padlock icon in your browser as a simple check, look at the site's SSL certificate details via your browser as a better check), that your credit card details are not cached by your browser (does your browser auto-fill the box where you should type in your credit card number? If the website is properly designed then it shouldn't, and it shouldn't pop up your credit card number as suggested text for that box either), that the site itself does not store the security card number from the back of your card and auto-fill it for you, etc. All standard stuff, and simple to check for. Also, run a virus scanner on your machine, preferably more than one virus scanner in fact as they don't all detect the same set of viruses.

Of course, if it is your credit card provider's systems that have been compromised, then you are screwed and possibly even newly issued cards are already compromised too. No doubt some people would blame that on CRC too though, if it were to happen, 'cos they shopped there "recently".

hunkymonkey · 23-03-2011 4:12am

I also purchased something with the £10 voucher.
Got a call from BOI on Friday (18th) to say that nearly a grand was taken from cc for online purchases but they stopped payment. Not sure of a link to CRC but would like to get a definite on that.

blorg · 23-03-2011 5:05am

doozerie wrote: »

Why would they? It seems to be nothing more than speculation so far that CRC were the ones who exposed/lost the credit card details. I've certainly seen nothing that verifies this theory.

Yes, it is all just a huge coincidence, clearly that is the most rational explanation.

blorg · 23-03-2011 5:29am

doozerie wrote: »

It may well prove to be the case that CRC are the source of the problem, but there are as yet no hard facts that I have seen to support that view. If they are not the source, then people might continue to casually use the real problematic site/systems that are compromised even as they proclaim their intention to never use CRC again. The truth of the matter is that any retailer that accepts credit card payments, online or otherwise, is liable to compromise and they should all be treated with equal care and attention when using them. So every time you pay online, even if it is to a site that you have come to trust, make sure that the URL of the site looks correct, that your session is encrypted (look for the closed padlock icon in your browser as a simple check, look at the site's SSL certificate details via your browser as a better check), that your credit card details are not cached by your browser (does your browser auto-fill the box where you should type in your credit card number? If the website is properly designed then it shouldn't, and it shouldn't pop up your credit card number as suggested text for that box either), that the site itself does not store the security card number from the back of your card and auto-fill it for you, etc. All standard stuff, and simple to check for. Also, run a virus scanner on your machine, preferably more than one virus scanner in fact as they don't all detect the same set of viruses.

I am skeptical that all recent CRC customers just happened to simultaneously get a CC-stealing virus, or were storing their CC number in their browser and all just happened to have their PCs individually hacked. None of this matters if the card details are hacked on CRC's back end.

Of course, if it is your credit card provider's systems that have been compromised, then you are screwed and possibly even newly issued cards are already compromised too. No doubt some people would blame that on CRC too though, if it were to happen, 'cos they shopped there "recently".

People have reported problems with cards from multiple providers, so the only conclusion is that Visa themselves, at an international level, have been compromised. but card numbers were only stolen from people who recently shopped at CRC. That is more likely.

Lumen · 23-03-2011 5:57am

From 17 March, via road.cc

Chain Reaction Cycles acknowledges credit card fraud issue

road.cc wrote:

Chain Reaction Cycles have today acknowledged that some of their customers have become victims of what appears to be systematic credit card fraud, though at this stage the precise nature or even the existence of any possible breach of the company’s online security has yet to be confirmed.

Online forums, including our own, have carried anecdotal evidence of fraudulent activity on the bank accounts of people who have recently purchased goods from Chain Reaction, and the company has confirmed that it is carrying out an urgent investigation into the matter. It has enlisted the services of a specialist internet security company to help with the investigation.

Some of the fraudulent transactions have been for relatively minor sums of up to £30, usually, it seems, to pay for mobile phone top ups, but it appears that others victims have seen their accounts debited for considerably larger amounts.

If there is evidence of a range of fraudulent uses of card details it could indicate that either Chain Reaction's own security has been breached, or that of the credit card gateway that processes card payment, or of the link between the two. Card information might then be being sold on to a variety of criminals who are targeting individual victim’s bank accounts in different ways.

Alternatively it may be that an individual or single gang is testing individual accounts with relatively innocuous-looking transactions which may go unnoticed before attempting to make much larger purchases on the compromised cards.

Chain Reaction has responded to media enquiries with a carefully worded Q&A statement emailed to road.cc and posted on the Singletrackworld forum from senior manager Michael Cowan which says:

What do we know?
We know that some of our customers have experienced credit card fraud after placing an order with CRC.

When did we find out?
Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.

How big is the problem?
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer's security extremely seriously we are taking all the steps we can to understand what has happened.

What steps have we taken?
CRC have employed one of the UKs leading internet security companies to carry out immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.

Card Re-issues
Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.

When will CRC have more information?
We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.

Can you order safely?
So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.

Please contact us directly
We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or emailenquiries@chainreactioncycles.com and we will be glad to help you.”

Beasty · 23-03-2011 8:31am

How big is the problem?
So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period.

Those who have contacted them or posted messages on forums may equate to under 0.1%, but based on the feedback in this thread it would appear a significant proportion (probably majority) of those using Irish bankcards (and not Paypal) are affected.

NB I did not order from CRC over this period, but did make numerous orders off other websites (including wiggle, probikekit etc) and my card has not been compromised

heads off to check again

AstraMonti · 23-03-2011 8:38am

Well I took my chances, I ordered something from CRC using the card directly and not paypal.. I am just curious (or can be called muppet too

)

CRC Card Fraud Problems

Comments