The Register® — Biting the hand that feeds IT

Feeds

UK cyclists hit by fraud after online purchase at website

Caught in the middle of a chain reaction

By John Leyden, 17th March 2011
  • print
  • alert

Agentless Backup is Not a Myth

Updated A suspected security breach at popular UK-based biking site chainreactioncycles.com has been linked by victims to multiple instances of fraud.

Various bike enthusiast forums are alive with complaints (here and here) from customers of the site, several of whom are reporting unauthorised charges on their credit or debit cards. The victims are tied together by having shopped at the bike site over the last fortnight or so.

The majority of fraudulent transactions reported seem to involve mobile phone top-ups to either Vodafone or O2, typically two transactions valued at £15 or so for a total fraudulent amount of £30. However, a small percentage of victims have been taken for thousands of pounds.

The experiences of a Reg reader, who wishes to remain anonymous and was the first to tell us of potential problems, seems typical: "I recently purchased items from the online cycling retailer Chain Reaction. A few days after payment went through, I had a couple of fraudulent transactions on my Visa card, which I cancelled, and got money refunded."

Banking regulations in the UK mean that victims should be able to recover the lost sums, but in the meantime they face an anxious wait and the possibility of being short of cash to pay bills until the mess is sorted out.

Chain Reaction Cycles (CRC) released a holding statement, republished via a thread on popular mountain biking portal MoreDirt.com, that acknowledged reports of problems and stating that it had started an investigation. "Our own infrastructure is routinely and independently tested and we are confident that it is robust," it said. "We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC."

A spokesman for CRC told El Reg that the ongoing investigation, started on Monday, had thus far not come across anything amiss.

Digital forensics blog ForHacSec adds that the common theme of the fraudulent transactions was that they occurred between seven and 10 days after victims purchased goods from chainreactioncycles.com. Purchases at CRC between March 4 to 12 seem to be those most closely associated with subsequent fraud, it adds. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (50)
Highly Rated
Anonymous Coward
Anonymous Coward

o2 is complicit

It's not just the scale of the fraud, it's the poor response by the retailer and the compicity of o2 that also need addressing.

If you read the very long thread here:

http://www.singletrackworld.com/forum/topic/crc-security-issues

You'll see several things:

1. The fraud has been taking place for several months and now runs into the hundreds of thousands of pounds range.

2. There's no confirmation (tyet) that the police are involved

3. A director of the retailer's ecommerce partner posted to the thread to blame the whole thing on ChainReactionCycles' customers not protecting their PCs

4. The "test purchases" at o2 take place because o2 have allowed their systems for at least 10 years to be used by fraudsters to test whether a card has "verified by visa" or similar associated with it - o2's systems allow the same card number to be used for an attempted purchase multiple times with the result that it can be re-used until the fraudster hits on the correct valid date for the card.

There's more coverage of o2's willingness to overlook a significant volume of fraudulent transactions made via their payment systems for more than 10 years here:

http://www.pardoe.net/cellnet/index.html

10
0
Anonymous Coward
Anonymous Coward
Reply Icon

Not necessarilly CRC

The card transactions probably aren't handled by CRC themselves, but on a third part server. As such you can bet that if the third party was hacked there will be other retailers involved too.

The reasons CRC were the first to be outed in a big way would be (a) cycling accounts for a huge amount of online spending (although every cyclist claims to support their local bike shop) and (b) cyclists seem to spend a disproportionate amount of time on forums rather than out on their bikes.

3
0
Anonymous Coward
Anonymous Coward

Block O2

O2 would make bloody sure they weren't target for fraudulent card purchases if the card clearers blocked ALL payments to O2 when this sort of thing happens. They would only have to do it once for O2 to make sure it never happens again.

2
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17