Are CRC having major web security problems?

anyuser

JamesFree wrote:

Well done Chain Reaction I was a victim of fraud from their site and even though i got all my money back from my bank the fact of having no card for 7-10 days is a pain but the £30 voucher they have sent me was very very generous!

+1 Well done CRC and thanks for the voucher, i have already placed my order.

Herbie The Dog

I had my email this morning from CRC. Very generous offer bearing in mind my bank refused to authorise the O2 top ups so no money left my account.

And I need a new bottom bracket. Means I can afford a Hope one now.

Thanks CRC...faith restored.

Usually_Lurking

Did they send you £30 voucher, or £30 when spending x amount?
I knew I should have complained to them, but it seemed a bit pointless at the time!

Neily03

Usually_Lurking wrote:

Did they send you £30 voucher, or £30 when spending x amount?
I knew I should have complained to them, but it seemed a bit pointless at the time!

It's a £30 e-voucher to use when ever on what ever. I got one too and I didn't even complain about the fraud! (although I was a victim)

Richard-Dublin

I'm amazed that you guys think that giving £30 vouchers to people who have complained amount to "good customer service" on CRCs behalf! To the best of my knowledge Chain Reaction have made no effort to contact customers whose credit card details may have been harvested to warn them to cancel their cards! Certainly they haven't contacted me and somebody attempted to use my card details the night before last! At this stage they must have at least a time frame within which the fraud occurred and in my opinion they are obliged to contact everybody who made a purchase within that time to warn them of a possible compromise. Throwing £30 vouchers at the complainers won't help the people whose card details may be used fraudulently over the next couple of months!

Anonymous

You want CRC to contact everyone in their database, even though they've confirmed that it was a small percentage of transactions that got hijacked?
Talk to your bank, for chrissakes.

Usually_Lurking

Play had some customer email addresses stolen from their email provider... they sent out emails letting people know what had happened and apologising, and follow up emails with more details. If Play can do it, then so can CRC.

CC details are a bit more important than an email address, and people are still being affected who made purchases last month who might not read forums to know to speak to the bank.
Yes, they should contact everyone to explain the situation, warn people to check statements and apologise.

cooldad

Usually_Lurking wrote:

Play had some customer email addresses stolen from their email provider... they sent out emails letting people know what had happened and apologising, and follow up emails with more details. If Play can do it, then so can CRC.

CC details are a bit more important than an email address, and people are still being affected who made purchases last month who might not read forums to know to speak to the bank.
Yes, they should contact everyone to explain the situation, warn people to check statements and apologise.

Except CRC didn't lose email addresses, and would have no way of knowing until contacted by a customer that their credit cards had been misused, so they couln't contact the effected people, before the effected people already knew they had been compromised.
Does that make sense to you?
So short of contacting every previous customer, there was little they could do.

Usually_Lurking

Yes, of course they don't know who exactly has been affected... but there are still people being affected now who made purchases with CRC. I know because I was down at the bank yesterday sorting out my own accounts!
There are still people who will be affected, who are currently unaware... the fraudsters dont stop taking money from the account details that they already acquired just because the leak has been fixed. It would not be difficult for them to contact every customer who made purchases within the time frame that they were compromised to warn and apologise. What is difficult about that?

It is irresponsible not to warn those who may be affected since they know that their website is the problem. My point with play was that they got off their arses and communicated with their customers.

Herbie The Dog

Richard-Dublin wrote:

I'm amazed that you guys think that giving £30 vouchers to people who have complained amount to "good customer service" on CRCs behalf! To the best of my knowledge Chain Reaction have made no effort to contact customers whose credit card details may have been harvested to warn them to cancel their cards! Certainly they haven't contacted me and somebody attempted to use my card details the night before last! At this stage they must have at least a time frame within which the fraud occurred and in my opinion they are obliged to contact everybody who made a purchase within that time to warn them of a possible compromise. Throwing £30 vouchers at the complainers won't help the people whose card details may be used fraudulently over the next couple of months!

I didn't complain. In fact I only contacted CRC after they posted a message on this thread asking people to contact them if they been affected. So I emailed them and gave them details of the attempted fraud on my card. The following day I had a phone call from a very polite lady explaining the situation and what they were doing to rectify the problems. At no time did I ask for recompense and I certainly didn't expect any.

CRC's actions may have been slow at the beginning when the threads started showing a pattern but their actions since have been brilliant. Both at a personal customer level and with updates on the forums.

Richard-Dublin

yeehaamcgee wrote:

You want CRC to contact everyone in their database, even though they've confirmed that it was a small percentage of transactions that got hijacked?
Talk to your bank, for chrissakes.

I'm not suggesting that at all! What I am suggesting is that CRC should contact anyone whose card details have possibly been stolen! At this stage they must have a time window within when the breach occurred and therefore they will have a list of customers whose cards may have been compromised. It would be relatively straight forward to send these people a mail warning them that their details may have been stolen. Plenty of these customers may still have no idea that there has been an issue and may only find out when they go to use their card ...... say for example in a foreign airport whille trying to hire a car!!!

Anonymous

Not likely. They know when it was first bought to their attention, and when the security issue was resolved, but they have no real way of knowing how long the exploit was in the wild.

lhoward1976

Cat With No Tail wrote:

This is simply the single biggest pile of horseshit I've ever read in my entire life, and I've read some drivel!

:roll:

Cat With No Tail wrote:

Leaving the door wide open? they were hacked! In what sounds like a very organized attack by people who really know what they're doing.

... and any qualification to judge it as horseshit is completely undermined.

"Sophisticated" in what is essentially a PR post on an internet forum, does not necessarily mean "sophisticated" in computer security terms. They're hardly likely to say "it was a noddy script kiddie in Sweden that did it" or "it's all our fault, we hadn't patched a 4 year old flaw in our app server software."

Cat With No Tail wrote:

... The safe had been certified as secure and checked on a regular basis.

By whom?

Cat With No Tail wrote:

I did everything I could possibly have done.

You're assuming they did.

Not that it matters. Given what's happened, I think they've done pretty well on the PR front. Was just trying to make the point that "being hacked" doesn't automatically make you a blameless victim. It can do, in certain limited circumstances, but mostly doesn't.

allen.coulson

yeehaamcgee wrote:

You want CRC to contact everyone in their database, even though they've confirmed that it was a small percentage of transactions that got hijacked?
Talk to your bank, for chrissakes.

Actually CRC stated that they had a tiny fraction of complaints identified to them - they did not include the people who did not complain. They would not have known about theose who did not complain but my guess it was a substantial number. I complained - no voucher.

bennett_346

Richard-Dublin wrote:

I'm amazed that you guys think that giving £30 vouchers to people who have complained amount to "good customer service" on CRCs behalf! To the best of my knowledge Chain Reaction have made no effort to contact customers whose credit card details may have been harvested to warn them to cancel their cards! Certainly they haven't contacted me and somebody attempted to use my card details the night before last! At this stage they must have at least a time frame within which the fraud occurred and in my opinion they are obliged to contact everybody who made a purchase within that time to warn them of a possible compromise. Throwing £30 vouchers at the complainers won't help the people whose card details may be used fraudulently over the next couple of months!

someone wants a voucher...

toontra

Another victim here. Just checked my online accounts and over £600 gone out to T-Mobile, O2 and Vodafone prepayments in the last 2 weeks.

Rang CRC and they confirmed an order of mine was inside the period when they were compromised. £30 voucher on its way. Still a pain in the ar$e.

s_blanche@hotmial.co.uk

what was the effected time ?

nickel

My card was also cloned a few weeks ago with two O2 payments of 15 quid. More worringly last week I found out someone had applied for a k's catalogue account with a credit limit of 750quid in my name, I think they must have planned to have paid it off with my cloned card (which was cancelled immediately) because thankfully no orders had been placed. Scary!

deffler

its appears ive been affected too :evil: