Forum menu
makes interesting reading Mark.
So as a method of proof that CRC are statistcally less likely to be the soruce than spoof card generator, can we invite anyone who has used CRC in the last 4 weeks and NOT had their card compromised, put their hands up?
This happened a few years back with Wiggle. A load of people on here got done as well as myself. They were flights to Barcelona and O2 top ups too.
So then, who's had 02 (or the others mentioned) fraud recently and not used CRC for a while? If this is nothing to do with CRC then there should be plenty.
I don't buy Marks explanation because if this is an issue of randomly generated card numbers, to affect this amount of cyclists would extrapolate to a national debit card crisis.
Unless anyone clever than me can suggest how Marks links could cause group self selection of cyclists.
I am not a customer of Chain Reaction any more because they haven't contacted customers who may be affected. They may have rang me after I emailed a complaint, but I needed them to be more pro-active to retain my custom. I didn't expect them to put a banner on their website, that would of been commercial suicide. My expectation is that they must be aware of the time-frame of at risk orders, and should have contacted all potential victims. I can understand why they haven't, but I don't care about their self-interest.
My new credit card has only ever been used at CRC, yesterday someone spent over £200 at tesco.com on it, it's definitely a CRC security breach, no doubt about it.
No phone top-up's on my card before it got fleeced.
I've just had a call from my bank confirming that the order I made with CRC at the begining of March was legitimate, so they're obviously checking for something!
Nothing else on my statement looks funny so perhaps just a routine check.
No phone top-up's on my card before it got fleeced.
Interesting implication that there are stolen card number users out there that test their numbers first and others that dont. Or those that dont are familiar with the original provenance of the numbers.
Not entirely convinced by the randomly generated numbers... at least not now. Do o2, vodafone, orange, (etc.) still really allow topup purchases with only CC no. and not CVC2, Name as on card, expiry?
Bought on 27/2 from CRC, got a calling card from DP/DHL yesterday (which may or may not be the CRC parcel), checked CC online thingy and everything now adds up. Maybe there were some test authorisations that hadn't been bundled up and gone thru as purchases? Keeping an eye on it for expected purchase to go thru, then will call bank anyway.
It just seems that the more I look the more I find websites out there that are reporting the same issues. Many have petrol stations as the possible culprits.. This sounds about right as using a petrol station is one of the many common denominators of the general public. Of course, some people don;t use petrol stations at all and have still suffered the fraud. But then it is clear from a bit of looking around the web that many have not used CRC but have still been scammed. On here, there are many who HAVE used CRC and been scammed. But I wonder if we add our numbers on this site to those many thousand of other victims out there whether the CRC link would still statistically hold up? I don't know. I'm posing a reasonable question.
Of course if the scammers are using what they know to be genuine card details then they MUST have been gained from some non-random source and an online retailer would be a likely source, as could petrol stations or any other countless sources. But if... and I'm just postulating... these scammers are using the clearly very lax security operated by the O2 Prepay system to test an endless stream of randomly generated card numbers, then it is possible that these transactions have no retail source at all.
Now, consider if that were the case for a moment. How would that look say to a community of mountain bikers? A significant group of them would have been victims of this randomly generated card scam, especially if the community were large enough. If then those victims looked for some commonality between themselves in order to quite rightly attempt to trace a source, what possible common denominators could they come up with?
The most likely source common to all of them would statistically be a retailer that is huge and serves pretty much exclusively that very community. Other possible common denominators would be other retailers like petrol stations... or supermarkets. But any community that seems to share in a particular fraud is quite naturally going to look at sources that serve that community almost exclusively first of all.
Of course, they may well be correct.
So, what is my point?
An investigation is ongoing. There is a huge amount of circumstantial evidence pointing at one particular source. But there is room for caution. If the card details are being randomly generated then this pattern we see here is just as likely to occur. Of course that argument only holds water if there are other victims who have not used CRC. The number of visitors to this site is large enough to be reasonably representative of the population in certain circumstances so I'd expect that there are some readers of this thread who are victims of this fraud who have not used CRC. Are there any out there? I certainly wouldn't expect there to be equal numbers of CRC users to not CRC users but if my possible scenario is true I would expect there to be at least some. Anyone?
If there are none then this would increase the likely hood that the source could be with a retailer that is almost exclusively used by this community (cyclists of many cycling websites - not just STW). So it seems a reasonable question to ask that we may be able to use to gain a better insight into the problem.
I'm looking forward to the completion of the investigation that CRC are currently undergoing. At that point we'll all know a lot more than we do now 🙂
[quote=stuboy2uk]My new credit card has only ever been used at CRC, yesterday someone spent over £200 at tesco.com on it, it's definitely a CRC security breach, no doubt about it.
Well that is very suggestive, but there isn't zero doubt. You could have keylogger malware on your PC.
Given the size of this issue and the size of CRC, I think that they would be smart to put a statement up on their website in the very least explaining that they are investigating it and will report back soon, and also stating what action they have taken in the meantime to ensure that new payments are safe. The best way to protect a brand is to be honest and communicate with your customers, not to pretend it hasn't happened and hope it will all die down... I'm sure behind the scenes they are working on this 24 7, but it would be good for them to say that clearly to their customer base.
And one final note for now..
I'm in now way making light of this issue. It's hugely serious and if the source is found that's going to be a big deal in deed. But more what I'm trying to do is use the fact that there are so many of us on here to help ask some more logical and rational questions that might actually help us find the source. Circumstantial evidence is NOT inconsequential but if we shift our line of questioning to get other answers this might actually combine with what we do know to either confirm suspicions or point them elsewhere. Circumstantial evidence is one source. What others can we find?
I'm looking forward to the completion of the investigation that CRC are currently undergoing. At that point we'll all know a lot more than we do now
I reccon the most you will ever get out of them will be something like "The problems have now been resolved, please resume purchasing."
Or more likely nothing at all.
Many have petrol stations as the possible culprits
Petrol station in Ipswich was my 1st. Don't recall them double swiping, but internet seemed to have an interestingly high reports for an Ipswich petrol station.
One of the most common is probably more likely to be rental car companies and hotels. They have your details on file, they have your credit card imprint on file, and the guy on the desk even gets to cop a glance at your CVC2, oh and as a bonus they know exact dates you're not at home.
Friend of mine thought nothing of the rental car guy noting down the CVC2 at the time! Wasn't very happy when he got home. Treat it as a 2nd PIN... remember it... scratch it off the card... then report any retailer to your bank if they query it when doing card present purchase.
your right to be reluctant Mark
Sorry but if it is possible to randomly pick credit card numbers and manage to 'randomly' pick so many correct that all 'happen' to belong to not just cyclists but cyclists that use CRC and frequent this and other forums then personally I would be using the same techniques to predict next weeks lottery numbers rather than scam card information
It would be far more productive!
The odds for what you are possibly suggesting are astronomical
Face facts, one of your main advertisers is the subject of a credit card scam. That cannot be disputed deflected or defended, no matter what revenue they throw at you via advertising
I've lost faith in CRC now, despite not having been done (yet) the more you try to deflect this away from them the closer I am coming to loosing faith in STW as well - Your in contact with them, I suggest you urge them to issue a further statement to your readers and their customers
Mark
You're of course right that in a court of law there would be reasonable doubt. But this isn't a court of law, the very opposite. And in this interweb based kangeroo court, the same interweb through which CRC does most, if not all, of its business, there is considerable circumstantial evidence to suggest a link.
Do you not agree that given the circumstantial evidence and number of affected persons, that CRC might do well to placate the masses by posting some form of warning, or issuing a statement to its customers along the lines of "we are investigating the possibility...." and allow them to make the decision?
Are you likely to be placing a debit or credit card purchase on CRC at the moment? I'm afraid I'm not.
I'm in no way commenting on the quality of the information coming from CRC. But Iain.. Facing facts is exactly what I am trying to do. And in so doing I'm looking to strengthen or weaken the case against CRC by looking at other possible scenarios and weighing them up against the circumstantial evidence that we have so far. I think that's a reasonable and balanced approach to the issue. STW could of course go all tabloid and start making assumptions of guilt without any kind of investigation beyond posts on a forum.
I still think it's a reasonable question to ask... Are there victims of O2 Prepay fraud on this forum who have NOT used CRC?
Even if some people come forward and say yes.. this does NOT get CRC off the hook. If no one comes forward then we can also count that as evidence too. None of it conclusive but evidence none the less that will build a clearer picture hopefully.
Yes of course nothing is proven it could be some other source. But when you look back through this thread most of these transactions are directly after a CRC purchase, nothing else in between. The card companies VISA and MasterCard are cancelling cards even without fraudulent activity just because there is a CRC transaction on the account(if people are to be believed). The people you speak to at the call centres for the banks are becoming more and more open about the retailer their fraud department has a file on.
So yes there's doubt, but it don’t look too clever does it. 😕
I still think it's a reasonable question to ask... Are there victims of O2 Prepay fraud on this forum who have NOT used CRC?
Quite probably, but it proves nothing other than that is a recognised way to test validity of scammed card details
Not ALL credit card fraud originates at CRC, but in this instance the weight of evidence far outweighs any doubt that may have been in my mind when I started this thread a week ago
I dont think we need to go round gathering evidence for or against, there is enough of that already, be it circumstantial or not (and some isnt as if people are to be believed its the only time the card has been used)and besides thats the job of the CC companies, CRC and the external auditor
All we want is some reassurance as to what CRC are doing to investiagte and prevent further occurances, and if it is yet safe to use their shop
Surely publishing such a statement is now in their best interests. this has gone too far for them to bury their head in the sand
most of these transactions are directly after a CRC purchase, nothing else in between.
I disagree.,
There are several instances where people have claimed that they only purchase they have made on their card has been to CRC. There are others where the time between CRC purchase and fraud has been up to a month. There are some where the fraud has happened very soon, within a day or two of the CRC purchase. But definitely not 'Most'.
This illustrates a wider observation. Through reading so many posts the conclusion seems obvious. It feels like people are experiencing fraud directly after using CRC but if you go back through the thread you will see that our perception is not generally accurate. We are carried away, quite naturally by a group mentality that results in us feeling the conclusion is beyond doubt. If there is going to be a judgement made then it needs to be on the basis of objective observation.
Also, this thread has indeed gone over 500 posts. But there are in fact 260 voices.. That means on average people have contributed twice to this thread. Not all those voices are victims. Take them out and I think we can safely say there are around 200 victims of fraud here. Now that's still a hell of a lot and the more that add to that total the more compelling the circumstantial evidence becomes, but beware of counting posts and then confusing that with victims as you will have just more than doubled the number.
I'm simply asking for as much objectivity as possible. That's how you differentiate a thorough examination of the facts from a witch hunt. The result may well still be the same, but I'd rather claim I was a part of the former than the latter.
Mark, randomly generated would not work for the large fraudulent purchases made through the likes of Tesco, John Lewis, airlines that have been reported. All those retailers would require the CV2 number and the expiry date for the transaction to be accepted.
So to conclude - basically, CRC have f-cked up [b]really[/b] badly.
They have potentially lost HUNDREDS of customers, through this PR catastrophe.
And there's a strong correlation between shopping at CRC within the past month AND fraudulent O2 purchases.
Simple.
I disagree.,
I disagree.. more of them are straight after the CRC purchase this is how these threads(other forums) came about.
This forum dwarfs ours.
http://forums.moneysavingexpert.com/showthread.php?t=1901991&page=21
Again, all this tells us is that O2 Prepay transactions appearing on bank statements as a prelude to larger transactions is not exclusively a cyclist problem. It's a small piece in the puzzle but it's a piece regardless.
Has anyones' debit debit card (used on CRC) been affected?
buzz-lightyear - yes, see above.
I'm going to back off for now though for fear of being strung up... 🙂 I'm as eager to hear from CRC as everyone else and see this whole issue sorted out.
I have stopped on-line purchase using my own card for few years now instead I started using prepaid CC or DC that I bought from WH Smith. It's only for on-line purchase only so I guess I am doomed for the rest of card purchase ... well, cash is king so I use cash as much as possible or cheque or pay direct into bank. I think the next thing I will do is to not go out and start stocking up food ...
The following are the possibilities:
1) CRC breach - malware internally installed or externally hacked.
2) CC or DC processing centre - someone is collecting information the moment a purchase is made through large retailer(s).
3) Other retailers - petrol station, hotel etc when card is used.
4) Somewhere between CRC and CC or DC processing centre (actually same as 1 & 2.
5) You PC is infected due to Pr0n watching ... likely but hackers rather target big players where they can harvest vast amount of data than you that earn peanut for a living. Well earning peanut me.
My guess will be 1, 2 or 4.
Will be interesting to see where the source of the hack is from and so far all the cc is used in UK o2 and Spain ...
😯
My bet's on #1
Just been had.
CRC order 2nd March.
2 x £15 O2 prepay vouchers Slough. 13th March
Natwest didn't pick it up on a debit card.
peed off. CRC Own Up!
Given the way the payment card industry works, I'm pretty sure CRC will have a lot of answering of questions to do and quite possibly some hefty fines (if they want to keep using credit cards). Worst case scenario, you'll see paypal only on CRC if the card industry think they've really messed it up but I'd imagine that'll be quite unlikely.
CRC DO need to issue some sort of press release on this because right now the hearsay suggests the problem is still happening so more customers each day are getting stung.
With regards to the O2 top-up security... you need to know either the[b] house number or numeric digits of the post code[/b] of the card holder.
You wouldn't be able to get hold of these if your card was skimmed at a petrol station (unless they somehow did a check on the car registration and it happened to be the same address).
Now, I haven't used a petrol station at all this year. So either they have randomly guessed my post code and got it right, or they got it when I typed in my payment details at an online retailer.
I wonder if we add our numbers on this site to those many thousand of other victims out there whether the CRC link would still statistically hold up? I don't know. I'm posing a reasonable question.
you are but If I start that thread I doubt very much you will be answering on page 15. This thread would have just died if no on else was affected after CRC use. We may use CRC more than others but I cant see why we are more likely to be the victim of a similar random fraud of auto generation. Why would CRC paypal users be unaffected for example?
Surely if this wasn't CRC related, some other big bike websites would at least get a mention. Evans, Wiggle etc must get at least half the revenue of CRC?
So if I use paypal on CRC it's safe?
Paypal uses a token based system. So they take the money but can't do any further transactions plus CRC never sees your PP login details. So it should be completely safe to use paypal to buy stuff unless there's something shockingly wrong with CRC.
I made a purchase on the 8th March with CRC (only the second time I've used them in 12 months), and 3 days later, I had two O2 PrePay payments against my account.
I only managed to find out about the link with CRC by looking on Google, and finding this thread (along with several others). I've spoken with CRC yesterday, and given them the details of my order, and the details of my Police incident reference.
My bank didn't spot the dodgy transactions, I did when checking my statement.
I wish now I'd chosen the PayPal option like I do 95% of the time when buying stuff online.
I also can't believe how people are still suggesting it's a coincidence. I work in IT have have done all my professional life, and my computer isn't infected with any key loggers, or spyware (plus my purchase with CRC was made when I was at work, and my work laptop is VERY secure).
The same thing happened when Lush had their online store compromised two months back. People were defending them, and saying it was other peoples faults. They were storing card holder details unencrypted in the database (A BIG NO NO!). At least they had the decency to contact all their customers who could possibly have been affected (going back 4 months worth of orders). They also took down their online store (which I know if their main source of turnover, my wife used to work for them).
I have had my card cloned twice in the last month, both 2 days after a purchase from CRC. The first time they tried to make £15 payments to o2, the second time it would seem they bought two season tickets, bus tickets and a flight with Ryanair.
It would seem that their website is compromised.
Another £30 prepay from O2 here. Used Chain Reaction on the 1st March, got done on 9th March, which seems like quite a large gap.
In case it rings a bell for anyone else, I also used the card for the following:
Radiohead album
Amazon digital download
Etsy shop via paypal
Bristol train ticket
Spokeshirts via paypal
Maybe everyone on this thread also brought the Radiohead album... 🙄
I am SO oiked off! So, on the 8th of March I bought a KMS chain and my nationwide debit card was cloned etc. Bank refunded me money so all was good, apart from being without a card for 6 days!
Then I had a problem with my XT 10speed cassette, one of the sprockets snapped. CRC warranty dept. said nothing they can do and I'd have to purchase another one. As I’m doing the Gorrick race this weekend I was in a rush to get a new one. CRC assured me that the card issues had been sorted out on the 9th! Well Mrs Janesy's card has just been cloned (15th) and £400 was attempted at John Lewis!
[b]
CRC you lying BAST**DS! I will never shop with you again. Enjoy your ear bashing tomorrow morning!!!![/b]
Plus, they email me after I had sent a photo of the sprocket, they are refunding me for the original cassette (£15 lower than the new one) to be honest, it’s the least they can do!
Last week I used CRC for the first time ever. This week someone tried to make a purchase at an Apple store using my card details
My card has been canceled & a new one issued.
Objectively:
I was scammed a few days after a CRC purchase, but with Vodafone as opposed to O2. Do they have the same security / lack of as the O2 automatic guessing scam?
Secondly. I have several credit cards. Some are effectively dead (zero balance, I should get round to cancelling); some are balance trf cards but no purchases being made, and then i have 3 active cards (one Visa, one MC, and one I use only for work). Why is the only one that has been scammed of all these cards the one that was used at CRC.
Being objective this could be coincidence but to paraphrase what I said in my previous post on this subject; Quack Quack.
For how long will respected publishing houses continue to take the CRC pound? Or will they acknowledge the problem and pull all advertising until CRC themselves acknowledge the problem and take appropriate action?
I cancelled my card (as a precaution, not cos it had definitely been compromised) on Monday, new one arrived today. 🙂
Happy with that except that when I phoned the number to get it activated it once again turned into a sales pitch of how I should buy Identity Theft / Fraud Insurance. 👿