Are CRC having major web security problems?

1234579

Comments

  • By the looks of things there are far more people who suffered fraud after using CC to buy from CRC than who used paypall similarly. That has emerged quite clearly - and that is an important information within this thread's context.
  • Anonymous
    Anonymous Posts: 79,667
    True, in this instance it was something to do with CRC's credit/debit card that was hacked. But my point is that you shouldn't assume you are safe just because you're using paypal.
  • I stopped using paypal a couple of years ago when my account was hacked and used fraudulently, first of all to buy things and secondly to do some money laundering.

    Even though I got stung with a CC CRC payment Santander refused it as it didn't fit my normal spending patterns. Card was cancelled and a new one arrived 2 days later.

    I'm sure paypal are more secure now but they burnt their bridges when I spent nearly 6 months proving the tranactions were nothing to do with me. No apologies...no recompense just a letter telling me i was 'in the clear'. So I stopped using them. I also hate the fact they under the same umbrella as Fleabay and thieve's paradise that is Gumtree.
  • crccustomersupport
    edited March 2011
    Hi Folks

    Just want to give you an update as you may have missed our earlier statements.

    What do we know?
    We know that some of our customers have experienced credit card fraud after placing an order with CRC.

    When did we find out?
    Senior staff in CRC where alerted to forum comments on Sunday 6th of March. We immediately began our investigations enabling to release information via community forums on Wednesday the 9th, acknowledging that we were actively investigating the situation.

    How big is the problem?
    So far, we have been contacted by customers who purchased in February and the beginning of March. The contacts we have had both directly and via forums equates to under 0.1% of on-line orders placed In that same time period. However, we understand that for those effected this is of great concern and as we take our customer's security extremely seriously we are taking all the steps we can to understand what has happened.

    What steps have we taken?
    CRC have employed one of the UKs leading internet security companies to carry out an immediate and full forensic investigation into CRCs infrastructure. This investigation has so far uncovered no evidence of any breach. We are also fully engaged with our card processing companies and the card schemes. This investigation is still underway.

    Card Re-issues
    Purely as a precaution, Card Issuers may make the decision to reissue new cards to recent CRC customers. If your card is reissued it does not mean that your details have been compromised but the banks take an ultra cautious view on this as the cost of re-issuing a card is much smaller than resolving any potential issue in the future.

    When will CRC have more information?
    We are working round the clock to get an understanding of what has happened; as we get greater understanding we will continue to keep you up to date and intend to issue a further updates over the next week or so.

    Can you order safely?
    So far the investigation has uncovered no evidence of any breach but if you want to order on CRC without CRC being in contact with your credit card details then choose Pay by PayPal and checkout using your credit card via the PayPal express checkout.

    Please contact us directly
    We want people who have been directly affected to contact us so we can personally update you by email. Please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

    Thanks again for your patience and support

    Michael Cowan
    CRC Senior Management
  • Buckled_Rims
    Buckled_Rims Posts: 1,648
    jimexbox wrote:
    Chill dude, we all know that no internet payment system is 100% secure, its about minimising risk. I believe you mentioned a redirect to a 'dodgy site' on the previous page. A redirect from Paypal will still not display a valid SSL certificate, your browser should warn you of this.

    You're assuming that the users browsers are upto date and change colour to warn them and also that port 443 hasn't "somehow" been disabled. Also a lot of older browsers don't support SNI which is the more secure version of SSL.

    I think it would help is all those who were hacked mentioned what browser and version they used as this "may" indicate what type of attack was used.
    CAAD9
    Kona Jake the Snake
    Merlin Malt 4
  • Mr Dog
    Mr Dog Posts: 643
    Best wishes to all at CRC. Good people have taken years to build a fine company.. lets hope those guilty of theft are caught and punished.
    Why tidy the house when you can clean your bike?
  • CRC - thanks for the update.
  • Anonymous
    Anonymous Posts: 79,667
    Mr Dog wrote:
    Best wishes to all at CRC. Good people have taken years to build a fine company.. lets hope those guilty of theft are caught and punished.
    Ditto.
  • steve_muzzy
    steve_muzzy Posts: 259
    interesting response from CRC and shows you have to go public to get a response,

    I e mailed them about the problem on the 4th of March at 13:00 following a discussion with my bank but it took the power of bikeradar to get a response :)

    However I am impresed they have come out with this statement and are trying hard to solve it.
  • blister pus
    blister pus Posts: 5,780
    yeh well. your inability to read and comprehend has already been established further up.
    Bollocks has it. There's still people (like you) claiming that we'll all be fine using paypal. There's no guarantee.

    I've made it abundantly clear throughout that there is no such thing as "bullet proof" except in a few special circumstances and Paypal is about as good as it gets in any industry but nothing is "bullet proof", if you choose to use that facility that's down to individual choice - so, go on, keep digging, people like laughing at you.
  • Anonymous
    Anonymous Posts: 79,667
    Digging WHAT?
    I'm telling people to be cautious regardless of what they use. What the hell is your problem with that?
  • sniper68
    sniper68 Posts: 2,910
    Taken from another Forum:
    Only last Monday a lad came in to work and said he'd just spent £1500 on PP but he hadn't in reality.

    He is now awaiting the outcome as his PP account has been confirmed as being hacked... Time will tell!
    :roll:
  • diy
    diy Posts: 6,473
    I wonder if any of the other Realex (CRCs handler) customers have been affected. If not then it could be CRC picking up the bill from the card companies.

    Paypal is different (no more or less secure) but different, so I'd say its their payment gateway which is being intercepted while taking card details.
  • antfly
    antfly Posts: 3,276
    We have already established that paypal is more secure that's why CRC are advising people to use it.
    Smarter than the average bear.
  • bennett_346
    bennett_346 Posts: 5,029
    But my point is that you shouldn't assume you are safe just because you're using paypal.
    Nobody has assumed that with 100% certainty
  • Digging WHAT?
    I'm telling people to be cautious regardless of what they use. What the hell is your problem with that?

    I think you are just being a pain. Immature and innefective, not clever, unhelpful and worthless.
  • Cleat Eastwood
    Cleat Eastwood Posts: 7,508
    Digging WHAT?
    I'm telling people to be cautious regardless of what they use. What the hell is your problem with that?

    Thats absolutely spot on advice. I've built commercial websites that use payment gateways and a few years ago we were made aware of a huuuuge problem with paypal. Ithas to be added that it was not of their making.

    What was happening was people were using progs like dreamweaver with built in plug ins to connect to paypal. What this meant was that the paypal logo, even though it linked to the paypal site, was held on the local server.

    Consequently if a website was hacked all the baddies had to do was alter the link on the logo and point it to a false paypal website.

    Nowadays paypal logos are held on secure paypal servers, so that threat is largely eliminated.

    Also we had one experience where a client wanted to set up worldpay. This required our client getting a gateway code from his bank. This he did but he then emailed and even texted it to us. It could have been intercepted at any point. Not his fault, just a potential weak spot which is what yeehaa I think is saying; buyer beware.
    The dissenter is every human being at those moments of his life when he resigns
    momentarily from the herd and thinks for himself.
  • My stuff turned up ok after ordering last Friday(11th) and so far nothing untoward has happened to my account, watching it like a hawk still.
    Wondering if I'm in the clear? The major hassle with this type of fraud is having the card cancelled, and like the majority of the economic slaves in this country if a chunk of my meagre wages disappears it screws up any DD's and leaves you overdrawn....
  • Atz
    Atz Posts: 1,383
    Nowadays paypal logos are held on secure paypal servers, so that threat is largely eliminated.

    If bad people changed the target of a link before, how does the location of the image stop that? Okay, I really need to stop replying to this thread because it's a bike forum, not stackexchange.
  • Cleat Eastwood
    Cleat Eastwood Posts: 7,508
    ha ha i sometimes forget its bikes that matter. The problem was that with web design software images were stored in a generic folder called rather cunningly 'images' where an actual jpeg lived. Nowadays you dont display the paypal logo but a link to a secure server that holds the logo, infact this one:

    https://www.paypal.com/uk/logos
    The dissenter is every human being at those moments of his life when he resigns
    momentarily from the herd and thinks for himself.
  • Atz
    Atz Posts: 1,383
    Was just saying that if the problem was comprised source code, doesn't matter where the image is stored because they can change the image uri easy enough again. If that's the "security", go slap the developer who thought it up hard around the face until they realise that they didn't do anything. Of course, there's not much you CAN do if your source code can be edited by the bad people :)
  • Pain Cave
    Pain Cave Posts: 18
    CRC have great service, a great range and a good prices. I however have had my credit card loaded with £2,000 of fraudulant transactions after buying something from CRC.

    My faith in them has been compromised and it will take a guarantee from them in their security before I go back.

    I hope they sort it out and catch those responsible because they have built a good business from nothing.
    Be One Carbon Raw
    Specialized Stumpjumper FSR
    Giant TCR Alliance
  • To be fair, I'm sure CRC are doing what they can. As an online business, their survival depends on it. Obviously something's been compromised somewhere, but it could happen anywhere.

    As above, use paypal. Yes, it may be paypal at fault (unlikely), but if you think it is, you might as well stop shopping online altogether because you'll not find more secure systems than that.
  • lemoncurd
    lemoncurd Posts: 1,428
    Atz wrote:
    Was just saying that if the problem was comprised source code, doesn't matter where the image is stored because they can change the image uri easy enough again. If that's the "security", go slap the developer who thought it up hard around the face until they realise that they didn't do anything. Of course, there's not much you CAN do if your source code can be edited by the bad people :)

    You're right, doesn't matter how secure PayPal is, stick one of these on your page, link to a fake PayPal site. Job Done.

    PayPalCheckout.gif
  • BeaconJon
    BeaconJon Posts: 294
    Hi all. I very rarely post on this site but often read it.

    Just had an email from my boss knowing I use CRC.

    We had to cancel our cards last week after my wife checked our banking as she usually does only to find two £15 top ups coming out to O2 a week before. On the 28th Feb I purchased a new saddle for the wife from CRC.

    Obviously I can't prove anything but the usual wheels are turning.

    Just adding to this story.

    Jon
  • jimexbox
    jimexbox Posts: 200
    lemoncurd wrote:

    You're right, doesn't matter how secure PayPal is, stick one of these on your page, link to a fake PayPal site. Job Done.

    PayPalCheckout.gif

    Anybody who uses a link from an unknown source to access their paypal account deserves everything they get. As I've mentioned previously the fake site will not have a valid SSL certificate either.

    You know what the say about leading a horse to water.....
  • lemoncurd
    lemoncurd Posts: 1,428
    jimexbox wrote:
    lemoncurd wrote:

    You're right, doesn't matter how secure PayPal is, stick one of these on your page, link to a fake PayPal site. Job Done.

    PayPalCheckout.gif

    Anybody who uses a link from an unknown source to access their paypal account deserves everything they get. As I've mentioned previously the fake site will not have a valid SSL certificate either.

    You know what the say about leading a horse to water.....

    I wonder how many people know what a SSL certificate is, and in any case, they are not 100% secure.

    http://www.win.tue.nl/hashclash/rogue-ca/
  • Anonymous
    Anonymous Posts: 79,667
    edited March 2011
    PayPal may be secure but you also have less protection should you wish to contest a transaction. More so as they default to taking your money direct out of your bank account when you don't have funds.

    But anyway.

    Last item I bought from them was in January. Nothing suspect on my credit card so far.

    Sounds like it's not a hack of stored card details but an intercept during payment. Sometimes these things can occur through third party components on their web site (banners and scripts that come from an external site).

    Anyway, not a big CRC fan. Prices are okay but not amazing, but had a number of issues with them not shipping when they say they will. Wiggle are outstanding in the delivery department for me at the moment. Order in the afternoon, it's there next day. Even with the cheap delivery option! Superstar, Merlin and Wooly Hat Shop are also my favourites for price and service.

    jimexbox wrote:
    As I've mentioned previously the fake site will not have a valid SSL certificate either.
    So long as it matches the URL and keeps the browser happy. Often the fake button links to a fake URL which looks very similar to the real thing, so there's no hidden URL, it just relies on the user not being very observant to the URL in the address bar. On top of that many genuine sites redirect payment processing to an external site which the user wouldn't recognise anyway.

    Then just get an SSL cert for the site matching the fake domain which is as cheap as £20 from the lesser cert authorities (or even just self sign it!), and the browser is happy enough to stick on a padlock or whatever.

    Basically don't trust a site just because it appears to have a valid SSL cert. Double check the URL is what you think it should be. I find if the payment is redirected and I've never heard of them, I do a check on who they are. Though most head off to Worldpay or similar.

    Better still look for EV certified sites. At the very least it's more costly to get an EV cert (e.g. around £1k for a cert), and less likely a fake site would use them.
  • jimexbox
    jimexbox Posts: 200
    lemoncurd wrote:

    I wonder how many people know what a SSL certificate is, and in any case, they are not 100% secure.

    http://www.win.tue.nl/hashclash/rogue-ca/

    Nothing is 100% secure.
  • andermt
    andermt Posts: 20
    deadkenny wrote:
    Sounds like it's not a hack of stored card details but an intercept during payment. Sometimes these things can occur through third party components on their web site (banners and scripts that come from an external site).

    Not sure exactly how the CC system works but in my case I had placed an order in Feb and received the goods but there was an issue with them so sent them back, CRC then did a refund on my card, it was at this point that the fraudulent transactions started on my account, thankfully caught at the 1st one by my bank.

    So wherever the issue with security is at CRC it doesn't seem to be the website in my experience as the purchase through the website seems to have been okay.

    As such I'll never buy from them again. The fact they know there is an issue and have at a glance done nothing about it and are still using the same hacked system is terrible security for their customers.