UK cyclists hit by fraud after online purchase at website

oh dear

Just waiting for my new bike to arrive from CRC today.

Guess I'll also be waiting for some extra transactions too then.

CRC's silence on this matter sucks...

This very subject also popped up in Bike Radar's Forums too, Most complainants were stung for £15 mobile top ups. Most of these fraudulent transactions were noted by the CC issuers and it seems as if most were refunded.

The Thread in relation to the CRC issues can be found here:

http://www.bikeradar.com/forum/viewtopic.php?t=12762610

Fortunately I (and many others) pay for our CRC purchases via PayPal and (obviously) have not been affected

What is alarming is CRC's silence on this matter, Fortunately the viral networking of the Forums has alerted most (would be) CRC customers to the issue.

Thank you El Reg for getting this strory out there :¬)

if you are lucky

If you are lucky you just get a few transactions on your card that can be reversed out.. However following the Lush hack my wife received a house insurance policy as they obviously had address, name as well as the card details. Typically the insurance company then wanted to charge a cancellation fee for a insurance policy never authorised in the first place! They got told to f*** off.

Maybe one day this kind of crime will be taken seriously, but the police dont care, credit companies just refund the money, retailers seem to get away without any investigation from the ICO and the victim is left with the stress and inconvinence.

Today's date being????

...the common theme of the fraudulent transactions was that they occurred between seven and 10 days after victims purchased goods from chainreactioncycles.com. Purchases at CRC between March 4 to 12 seem to be those most closely associated with subsequent fraud...

What to do with proceeds?

1) Weren't there also similar concerns about another major bike/sports bits retailer about a year ago? (Don't want to name names because I can't remember which one it was)

2) So, assuming I am the scammer, what do I do with the thousands of ten quid top ups? Do I go around selling them for a fiver to corner shops? Can I order real stuff using my prepaid credit balance? Can I divert inbound calling card calls through the mobiles with the stolen credit?

I can't see how the fraudsters benefit from the payg credit. Can someone explain?

infrastructure independently tested?

"Our own infrastructure is routinely and independently tested and we are confident that it is robust,"

"We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC."

Does that mean the Credit Card data is stored in an encrypted form and is never transmitted across a network in the clear and that all end-to-end transactions are fully and irrevocable audited. Cause if none of this applies then the above robust statements are just so much arse-covering waffle.

@Cilonen

Your not alone there with Lloyds, last May some blighter purchased $5000 worth of garden equipment in Florida with my Credit Card and they insisted for about 6 months that it was me.

It was only when it got to a point where I really threw my toys out of the pram they backed down!

title

Can't we just campaign to make the punishment for this sort of crime public disembowelment - might discourage the perps if we all got to see what they looked like on the inside.

RE: @AC 22:03

"Why would a fraudster buy house insurance on your house in your name? Am I being thick, but I don't see what the tea leaf gets out of this."

I would love to know the answer to this one. I work for an online retailer, and we have a facility for customers to pay by direct debit. We do from time to time get fraudulent attempts, normally from the likes of Vietnam, africa and the likes. These are picked up and cancelled by our systems anyway.

We had an interesting scenario around 12 months ago. An attempt was made to place a DD order. We checked it out and it was fraud, so cancelled. We were then contacted by the police, who informed us that we should keep an eye out for a character who was setting up DDs. The bizarre thing was, this person was using the details of a guy who owned a B&B on the south coast.

Even stranger was that this frauster was taking out Building and Contents insurance on the B&B, also life insurance on the owner, and extra fire cover. The owner of the B&B was obviously quite worried that the place was going to get torched.

The really strange thing though was that the frauster was doing this all in the B&B owners name. So even if something did happen, the person who would benefit would be the owner. The fraudster would not benefit from anything?

The reason the police contacted us, and this is bizarre, is they told us they could do nothing about this unless some money actually changed hands. Up until now, all the attempted DDs had failed, so they could do nothing.

They didn't say this, but reading between the lines they were saying "please allow a transaction to go through and be setup, so we can then go after the guy".

So what the hell was the fraudster getting out of this?

Credit Card Details not Held, apparently.

This statement appears in CRC Terms and Conditions under the heading "Credit Card Security"

"When your order is processed your encrypted credit card number is removed from the web server.

This means that there is no way that someone can obtain your credit card number from CRC so you can order with confidence!"

So assuming this is a true statement, the card number is encrypted wherever it is stored. It states "removed from Web Server" and not database, so I would make the wild assumption that maybe the number is stored in Session for the life cycle of the order processing, and once complete the session is wiped.

This leads me to believe, again assumptions galore, that the site uses a 3rd party payment provider, which they integrate with via an API. The card details are entered onto their site, and then communication with a 3rd party server takes place "in the background".

This should mean that they should comply with the highest level of PCI DSS as they are both storing (in session) the details and transmitting the details to another location for processing.

I personally never handle card details in ecommerce sites I have developed. Far better to offload the whole thing to a reputable payment service provider, via a hosted solution, so you never have to touch, store or see the details ever. If your systems never have that data, then you can never compromise that data.

However, I must add that if you do use a 3rd party provider, you still need to undergo PCI DSS and complete a Self Assessment, and you are responsible for verifying the PCI compliance level of your 3rd party provider.

But I ask the question. Why am I made to jump through all these PCI hoops, scans and checks, but when instances like this happen with big e-tailers, nothing ever seems to happen. I bet if something like this happened to the little guy, there would be many lashes received.

Not Happy

Another victim here. Purchased twice from CRC, once on the 4'th of March and secondly on the 7'th. Discovered CRC had been (and probably still is) compromised this morning while checking through my regular IT related forums, including TheReg. So 15 minutes later and an anxious trip to the ATM to discover two fraudulent transactions totalling 2.5k, both debited this morning.

Not happy.

I know what it is

It's not fraud. It's just an automated fining system.

.

It has recently been set up to automatically penalise anyone who has ever:

Ridden a bike through a red light,

Ridden through pedestrians on a crossing,

Negotiated a turn or roundabout without signalling,

Ridden on the footpath/sidewalk past the age of 8,

Ridden at night without lights,

Ridden two/three/four abreast while chatting to their boyfriends completely oblivious to the traffic building up behind them,

Used the road (badly and without any form of license) without paying for the privilege like all other road users.

.

Mine's the one with the Cycling Proficiency badge on the lapel.

Cyclists eh? Kuh eh? Kuh.

Ha. "(b) cyclists seem to spend a disproportionate amount of time on forums rather than out on their bikes."

That might be because after we've biked to work we have to sit in front of a computer for 8 hours before biking home to our families, probably getting home in the dark and certainly - for now at least - in the dark by the time we do get home. Check the discussions on any bike site and see how it's pretty lively through the working day, but drops enormously during the commute times and over the the weekends. A bit like El Reg in fact.

Still. Nothing like letting the facts get in the way of a gigantic sweeping statement that backs up your own biased views eh?

Here we go again

Muppet. I wondered how long before some ar$ewipe of a commentard decided to drag out the old cliches.

Red lights? Stop - it pisses of the motorists who expect me to live up to their fantasies.

Crossings? never.

Roundabouts? Risky situations those, but I try to give a clear idea of where I'm going.

Footpaths? Nah mate. Pavement pansies get on my tits too.

Lights at night? I like my wife & kids, they seem to like me. Think I'll keep it that way ta.

4 abreast? Sorry chief. Billy Nomates on my cimmutes. Ne'er mind.

"Used the road (badly and without any form of license) without paying for the privilege like all other road users."

FYI. So far this year I've poured £600 worth of diesel into my car. At 70% rake off for HM Treasury that's about £420 in fuel duty & VAT, on top of the £150 VED I paid in December. And they take about £800 off me in stoppages every month, so that's errr.. £2170 so far this year, and another £800 next week when it's payday. Exactly how much would you like me to pay to use the roads?

Roads are paid for out of general taxation. Road Tax was abolished in the 1930s when Churchill got sick of motorists thinking they owned the roads. And as Income Tax was originally a temporary measure to fund yet another war with France, can I get on to HMRC demanding that they use my income tax in the way it was originally intended, and expect an invasion via Calais next Tuesday? Pffft.

And it's licence, not license.