Are CRC having major web security problems?

kltsang

I ordered from CRC 2 weeks ago before I heard about this and was worried if it happening to everyone. As it turns out my credit card phone me this morning via a automated voice service and after confirming my details. Some try to spend £600 at an Apple shop and £15 O2 topup. Luckily the money hasn't let my account and they are going to send me a new card. When this happens it is easy to lose confidence in the retailer.

sheepsteeth

i heard paypal isnt that secure.

blister pus

i thought you had to be sensible and couldn't troll in here?

make it a far better forum if you can.

cooldad

sheepsteeth wrote:

i heard paypal isnt that secure.

Thought your new medication stopped you hearing those voices in your head?

sheepsteeth

yeah sorry about that.

Jammie Dodger

Hi I am new to this forum (or indeed any cycling forum!) I have been lurking around for several months, meaning to join in as my interest in cycling has grown.

Anyhoo, just to add to this thread and ask a question at the end of my post, I hadn't ued CRC for a year or so, but shopped there just under two weeks ago. I then saw this thread a couple of days later - typical, why couldn't I have seen this thread first? :roll:

This was on a credit card that had only seen a few transactions although I have had it ages, just never used it. Fast forward to tonight and I get a call from my credit card company saying that some transactions were picked up that were suspicious, but luckily blocked. Now I am without a card while a new one is issued.

Now, like a few others I have been put off going back. A shame as there were a couple more bits (base layers) I wanted from them but don't want to risk a new card when it arrives.

Has anyone ever used www.kickbacksports.co.uk or www.bournesports.com? They stock what I am after but have never heard of either shops before. Thanks

timbstoke

Just adding my voice to the crowd. Ordered from CRC, a few days later, my card was refused when I tried to make a purchase. I checked online, and two £15 O2 topups had gone out of my account. Seems they'd done that successfully, then clearly tried to do something bigger that had been flagged.

I've emailed CRC to find out the crack.

joshtp

are CRC safe again yet? They are simply the cheapest on loads of stuff... and I'm pretty keen to order some stuff from them....

sniper68

Safe if you use Paypal

sheepsteeth

ive heard paypal isnt all that safe though.

crccustomersupport

Hi Folks,

Since our last communication, we have continued to carry out a full forensic investigation following recent reports and concerns from our customers experiencing credit card fraud after placing an order with CRC.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

Recent customers of CRC may find that, as a precaution, their credit card company will issue a new card. Be assured that if this does occur it does not indicate that your details have been compromised.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

If you have further enquiries about this issue please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

Anonymous

Thanks for the update, Michael.

blister pus

excellent news. glad things have been resolved

i'm now going to celebrate by buying a new front tyre from you

sheepsteeth

blister pus wrote:

excellent news. glad things have been resolved

i'm now going to celebrate by buying a new front tyre from you

good luck.

joshtp

Awesome. Excellent response from crc too... very good.


Sheepsteeth:

sheepsteeth

im only joking, it is very decent of the company to be upfront about the whole affair and it will be good news to the folk desperate to get their monies spent.

Drapper

CRC should contact the 'compromised' people and make some sort of recognition of there responsibility!

I was swindled out of almost 1k euros..... makes me think twice about buying from the likes of CRC again! if they can be hacked, what about the small guys??

Anonymous

:roll: EVERYONE can be hacked. It doesn't matter how secure your site is, nothing is an absolute.
CRC are a victim, not the bad guys here.

sheepsteeth

yeehaamcgee wrote:

:roll: EVERYONE can be hacked. It doesn't matter how secure your site is, nothing is an absolute.
CRC are a victim, not the bad guys here.

thats why folk should use paypal.

Anonymous

YOU sould know better than try and set me off, sheeps!

dynastarg9

Excellent news. Kudos to CRC for the detailed information.

lhoward1976

yeehaamcgee wrote:

CRC are a victim, not the bad guys here.

Hmm... I don't entirely agree with you there.

Think of it this way... you leave £1k in an envelope at a mate's house. You've told him the envelope has £1k in it, and it's very important he looks after it. Later, you get a phone call saying "I've been broken in to, and your £1k has been nicked. I left it on the door mat... thing is, not only did I not lock the door, I left it wide open... can't trust anyone these days, can you?"*

I'd put money on it that your first words wouldn't be "we're both victims" - much more likely you'd say something along the lines of "why the f*** did you leave the door open?"

Don't get me wrong, CRC are definitely a victim - they've lost customers, reputation etc. However, they can also be the bad guys - it could be argued they brought it on themselves (and the affected customers) through negligence, ignorance, or simply being too tight to pay for proper security.

If the hole is plugged now, there's no reason why it couldn't have been plugged before.

As for the detailed information... there's no useful detail in there at all, really. I'm sure it was a "sophisticated cyber attack" - but let's not be naive ... they're hardly likely to say "it was a piece of p**s for them and we've now changed the default passwords on our load balancers"

Not that it'll stop me shopping there


*: ok, so analogies aren't my strong point.

Anonymous

I have no words for you except... Wow
:shock: :? :roll:

Cleat Eastwood

lhoward1976 wrote:

yeehaamcgee wrote:

CRC are a victim, not the bad guys here.

Hmm... I don't entirely agree with you there.

Think of it this way... you leave £1k in an envelope at a mate's house. You've told him the envelope has £1k in it, and it's very important he looks after it. Later, you get a phone call saying "I've been broken in to, and your £1k has been nicked. I left it on the door mat... thing is, not only did I not lock the door, I left it wide open... can't trust anyone these days, can you?"*

I'd put money on it that your first words wouldn't be "we're both victims" - much more likely you'd say something along the lines of "why the f*** did you leave the door open?"

Don't get me wrong, CRC are definitely a victim - they've lost customers, reputation etc. However, they can also be the bad guys - it could be argued they brought it on themselves (and the affected customers) through negligence, ignorance, or simply being too tight to pay for proper security.

If the hole is plugged now, there's no reason why it couldn't have been plugged before.

As for the detailed information... there's no useful detail in there at all, really. I'm sure it was a "sophisticated cyber attack" - but let's not be naive ... they're hardly likely to say "it was a piece of p**s for them and we've now changed the default passwords on our load balancers"

Not that it'll stop me shopping there


*: ok, so analogies aren't my strong point.

we must have the same mate. i lost a grand the same way. does he live in rhyl?

steve_muzzy

crccustomersupport wrote:

Hi Folks,

Since our last communication, we have continued to carry out a full forensic investigation following recent reports and concerns from our customers experiencing credit card fraud after placing an order with CRC.

The independent forensic investigation has shown that our infrastructure was the target of a sophisticated attack which resulted in the theft of card details relating to a number of our customers. Details were being stolen ‘real time’ and only a small proportion of recent CRC customers were affected.

Recent customers of CRC may find that, as a precaution, their credit card company will issue a new card. Be assured that if this does occur it does not indicate that your details have been compromised.

The access point of the theft has been identified and permanently closed off so we are confident that we have fully addressed any weakness in our infrastructure.

We are sincerely sorry for what has happened in recent weeks and would like to thank you for your patience and support throughout this difficult period.

Our site is safe to use and will be continually monitored and tested by independent on-line security experts to ensure your details are safe.

If you have further enquiries about this issue please contact us on +44 (0)2893343758 between 9am – 5.30pm or email enquiries@chainreactioncycles.com and we will be glad to help you.

Thanks again for your patience and support,

Michael Cowan
CRC Senior Management

Admitting fault, fixing and apologising - excellent response from CRC and I hope it doesn't mean any more problems for them

One thinkg though I tried to call a Laura back twice , on hold then no response...

colsoop

Nothing is 100% secure. We all receive security updates to the various operating systems we use. The same process occurs for web based software too.
A new exploit occurs and then it is patched, most of the time the threat is patched and it efects nobody but sometimes like recent events a large number of people are effected before a solution is sorted.

cat_with_no_tail

lhoward1976 wrote:

yeehaamcgee wrote:

CRC are a victim, not the bad guys here.

Hmm... I don't entirely agree with you there.

Think of it this way... you leave £1k in an envelope at a mate's house. You've told him the envelope has £1k in it, and it's very important he looks after it. Later, you get a phone call saying "I've been broken in to, and your £1k has been nicked. I left it on the door mat... thing is, not only did I not lock the door, I left it wide open... can't trust anyone these days, can you?"*

I'd put money on it that your first words wouldn't be "we're both victims" - much more likely you'd say something along the lines of "why the f*** did you leave the door open?"

Don't get me wrong, CRC are definitely a victim - they've lost customers, reputation etc. However, they can also be the bad guys - it could be argued they brought it on themselves (and the affected customers) through negligence, ignorance, or simply being too tight to pay for proper security.

If the hole is plugged now, there's no reason why it couldn't have been plugged before.

As for the detailed information... there's no useful detail in there at all, really. I'm sure it was a "sophisticated cyber attack" - but let's not be naive ... they're hardly likely to say "it was a piece of p**s for them and we've now changed the default passwords on our load balancers"

Not that it'll stop me shopping there


*: ok, so analogies aren't my strong point.

This is simply the single biggest pile of horseshit I've ever read in my entire life, and I've read some drivel!

Leaving the door wide open? they were hacked! In what sounds like a very organized attack by people who really know what they're doing.

So your analogy is just wrong. If anything, it's more like:

you leave £1k in an envelope at a mate's house. You've told him the envelope has £1k in it, and it's very important he looks after it. Later, you get a phone call saying "I've been broken in to, and your £1k has been nicked. The money was in the big fook off, locked safe, along with a load of other stuff. The safe had been certified as secure and checked on a regular basis. I'm very sorry about that, I did everything I could possibly have done. Don;t worry though, your bank has given you the money back. I've now gone and bought a brand new, even bigger safe."

:roll:

cooldad

Drapper wrote:

CRC should contact the 'compromised' people and make some sort of recognition of there responsibility!

I was swindled out of almost 1k euros..... makes me think twice about buying from the likes of CRC again! if they can be hacked, what about the small guys??

Excellent first and only post. 'The likes of CRC' - in other words you won't buy anything online. Won't make any difference as there are very few companies catering to the penny farthing market.

JamesFree

Well done Chain Reaction I was a victim of fraud from their site and even though i got all my money back from my bank the fact of having no card for 7-10 days is a pain but the £30 voucher they have sent me was very very generous!

divebabe31

The proof of good customer service is in what a company does when something goes wrong. CRC have communicated with the people involved and apologised. Banks/credit card companies have already refunded/will refund those customers involved so CRC's offer of a voucher is beyond what they needed do.

Any company can be the victim of a concerted attack from fraudsters and anyone who shops online should be aware that fraud is a possibility and take the necessary precautions. Not every company would necessarily handle the situation as well as CRC have.