UK cyclists hit by fraud after online purchase at website
Caught in the middle of a chain reaction
Updated A suspected security breach at popular UK-based biking site chainreactioncycles.com has been linked by victims to multiple instances of fraud.
Various bike enthusiast forums are alive with complaints (here and here) from customers of the site, several of whom are reporting unauthorised charges on their credit or debit cards. The victims are tied together by having shopped at the bike site over the last fortnight or so.
The majority of fraudulent transactions reported seem to involve mobile phone top-ups to either Vodafone or O2, typically two transactions valued at £15 or so for a total fraudulent amount of £30. However, a small percentage of victims have been taken for thousands of pounds.
The experiences of a Reg reader, who wishes to remain anonymous and was the first to tell us of potential problems, seems typical: "I recently purchased items from the online cycling retailer Chain Reaction. A few days after payment went through, I had a couple of fraudulent transactions on my Visa card, which I cancelled, and got money refunded."
Banking regulations in the UK mean that victims should be able to recover the lost sums, but in the meantime they face an anxious wait and the possibility of being short of cash to pay bills until the mess is sorted out.
Chain Reaction Cycles (CRC) released a holding statement, republished via a thread on popular mountain biking portal MoreDirt.com, that acknowledged reports of problems and stating that it had started an investigation. "Our own infrastructure is routinely and independently tested and we are confident that it is robust," it said. "We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC."
A spokesman for CRC told El Reg that the ongoing investigation, started on Monday, had thus far not come across anything amiss.
Digital forensics blog ForHacSec adds that the common theme of the fraudulent transactions was that they occurred between seven and 10 days after victims purchased goods from chainreactioncycles.com. Purchases at CRC between March 4 to 12 seem to be those most closely associated with subsequent fraud, it adds. ®
o2 is complicit
It's not just the scale of the fraud, it's the poor response by the retailer and the compicity of o2 that also need addressing.
If you read the very long thread here:
You'll see several things:
1. The fraud has been taking place for several months and now runs into the hundreds of thousands of pounds range.
2. There's no confirmation (tyet) that the police are involved
3. A director of the retailer's ecommerce partner posted to the thread to blame the whole thing on ChainReactionCycles' customers not protecting their PCs
4. The "test purchases" at o2 take place because o2 have allowed their systems for at least 10 years to be used by fraudsters to test whether a card has "verified by visa" or similar associated with it - o2's systems allow the same card number to be used for an attempted purchase multiple times with the result that it can be re-used until the fraudster hits on the correct valid date for the card.
There's more coverage of o2's willingness to overlook a significant volume of fraudulent transactions made via their payment systems for more than 10 years here:
Not necessarilly CRC
The card transactions probably aren't handled by CRC themselves, but on a third part server. As such you can bet that if the third party was hacked there will be other retailers involved too.
The reasons CRC were the first to be outed in a big way would be (a) cycling accounts for a huge amount of online spending (although every cyclist claims to support their local bike shop) and (b) cyclists seem to spend a disproportionate amount of time on forums rather than out on their bikes.
O2 would make bloody sure they weren't target for fraudulent card purchases if the card clearers blocked ALL payments to O2 when this sort of thing happens. They would only have to do it once for O2 to make sure it never happens again.