PBP2011 - (likely) stolen credit card details used for registration

[daniele]

TO: PBP2011 RIDERS

Dear all,

apologies for the disturbing news.

Please check the balance of the credit/debit card that you have used to register for PBP2011.

It seems that several PBP participants have found bad surprises on their accounts, all around the world.

Some japanese and australian riders have started to talk about it on some Google forums:

http://bit.ly/ulFr8O
http://bit.ly/uxOv4G

A long list of italian riders have suffered losses and discussing the matter here (sorry, in italian only):

bit.ly/u5gu02

The provider of the payment service for PBP was "KlikandPay.com" and it is likely that your details are still on their servers.
An account with your address/card details was automatically created at the time of (pre-)registration.
(from the following link:
http://www.klikandpay.com/clients/index.cgi
you can recover your password by asking to send it to your registration email address by following the link "forgotten your password?" on the menu on the right);
I have deleted mine today, but it seems too late now...

Good luck to everyone.

Kind regards,
Daniele (AUK G6624)

[teethgrinder]

Cheers. 
Just deleted my account, I think.
I went into "My details" or whatever it was, deleted all the info in all the boxes, clicked the "update" box. It still had my info of my PBP transactions. So I logged out, then did the "forgot my password" thing again, typed in my email address and it said that it didn't recognise it.
I reckon job done.

[mmmmartin]

I pre-registered but did not qualify so did not ride. But in May I was contacted by my bank and told that a small payment by my credit card had been turned down. It seems small payments are attempted to see if the card is valid, then larger sums are stolen. I had that day been to the dentist and made a credit card payment so informed them. My old card was destroyed and a new one issued. I assumed it was the dentist's payment system. Now I'm not so sure.

[Manotea]

In the help pages there is a reference to the 'close account' page but I could not find it. I've emailed for advice.

[Tewdric]

Fraud was attempted on mine towards the end of November but the bank blocked it.  I had to go through the PITA of getting the card cancelled and reissued.

[Feline]

Mine went on simonp's card so I can't blame my most recent card fraud episode on this (the 3rd in a  year on that card!) 

[mmmmartin]

The links given by Daniele are worth looking at. The Italian one seems to have only three or four people commenting in it, and contain an interesting English summary of a request by the ACP for more details, which people may be able to supply. The Australian one is a warning from the Japanese. So we have a handful of people commenting. My Italian is not up to a decent translation but I bet someone will be along in a minute who can do it. My next question is whether the numbers complaining about being affected are greater than those normally affected by credit card fraud, and what the evidence is tjat PBP registration is a cause. And come to think of it, I'd be surprised if a payment company suffered this sort of fraud as they would instantly be out of business, for ever. But still, it's always worth looking at the credit card bills, innit?

[Feline]

The links given by Daniele are worth looking at. The Italian one seems to have only three or four people commenting in it, and contain an interesting English summary of a request by the ACP for more details, which people may be able to supply. The Australian one is a warning from the Japanese. So we have a handful of people commenting. My Italian is not up to a decent translation but I bet someone will be along in a minute who can do it. My next question is whether the numbers complaining about being affected are greater than those normally affected by credit card fraud, and what the evidence is tjat PBP registration is a cause. And come to think of it, I'd be surprised if a payment company suffered this sort of fraud as they would instantly be out of business, for ever. But still, it's always worth looking at the credit card bills, innit?

CRC is not out of business. I had my debit and credit card out of commission simultaneously last year just before Christmas leaving me unable to do Christmas shopping because of the fraud carried out by their ex-employee. I've since then never used my debit card online other than when forced to, i.e. to renew VED, because you cannot pay any other way.

[Von Broad]

ummmm....well it might be related, but I got a call on Friday morning before I left for work asking if I'd authorized payments for five thousand pounds to a company called X in the last 2 days. "Eh, no, I don't recall that". Logging into my account as I spoke to the woman on the end of the fraud line it was clear to see I'd just had the entire contents of my account emptied in the last 2 days. I keep about 5k in there for work purposes. They put a couple of small payments through first to see that the card was active then wallop, went in for the whole lot! Totally cleaned out.

I am so not on the case with anything related to finance, I would never have noticed until the cashpoint started saying no!

What was perplexing, looking back over the past few weeks of purchasing history, there was the absolutely nothing suspicious. Really odd. Same petrol station, Sainsburys, wood yard, Wickes, Amazon etc so I assumed that people can get access to card details further down the line, deep into the dark recesses of data storage, whatever that might look like.

Thanks for your post Danille, that might [possibly] be mystery solved 

[Note to self: wake up and get a credit card for online activity]

[simonp]

I canceled my card (and had a new one reissued) for other reasons anyway so it won’t affect me.

Anyone who paid on Egg Money will be safe as their cards were replaced by Barclaycard in early Nov (assuming the fraud was recent).

[Schlusslicht]

Got the same problem with my credit card in Germany.
My bank noticed the irregularities and got a new card without loosing of money.

[Euan Uzami]

Cheers. 
Just deleted my account, I think.
I went into "My details" or whatever it was, deleted all the info in all the boxes, clicked the "update" box. It still had my info of my PBP transactions. So I logged out, then did the "forgot my password" thing again, typed in my email address and it said that it didn't recognise it.
I reckon job done.

did you do that on the pbp website or the klikandpay website?
What account did you close... ?
I can't find any way to log in to the pbp website.

[arabella]

Well, I went in to my details etc. and there were no bank details quoted anyway,
So I put a load of rubbish in to make sure, remied my name etc.

[toontra]

Another one done!  I'd been especially careful (I'd thought!) with this card since my details being hacked when using Wiggle, CRC, Paypal and 2 other non-cycling companies - i.e. 5 times in 4 years.  My CC company rang last week to say someone had tried to use my details - this explains it!

[MattH]

It's always worth checking your card, but I'd be a little wary of saying that it is definitely the PBP card processor's fault. 5000 people entered PBP, there's a reasonable chance that if you take any group of 5000 people who travel and use their cards online then quite a few will be subject to card fraud.

The Japanese group may well have had other things in common - e.g. using the same travel agent, staying at the same hotel in France, using the same restaurant/bar pre/post ride, even using their cards at the same place on one of their qualifiers in Japan (assuming that there are not that many 600s running in Japan).

The PBP card processor may be at fault, but they may be completely innocent.

[toontra]

I'd only used that particular card for 3 transactions, so there's a 33% chance of it being KlikandPay.  With the above information I'm inclined to increase the odds to nearer the 100% mark.

I suggest that people keep an eye out for unusual activity on the account they used for this.  With the CRC fraud earlier this year it was many weeks after the compromise that accounts started to be hacked.

[border-rider]

It's always worth checking your card, but I'd be a little wary of saying that it is definitely the PBP card processor's fault. 5000 people entered PBP, there's a reasonable chance that if you take any group of 5000 people who travel and use their cards online then quite a few will be subject to card fraud.

The Japanese group may well have had other things in common - e.g. using the same travel agent, staying at the same hotel in France, using the same restaurant/bar pre/post ride, even using their cards at the same place on one of their qualifiers in Japan (assuming that there are not that many 600s running in Japan).

The PBP card processor may be at fault, but they may be completely innocent.

+1

I travel a fair bit and I fairly often get fraudulent transactions; one hotel in Cologne I now avoid as it always resulted in a new card being needed.

Just the luck of the draw I'd say.  Select 5000 random people in Paris in a given week and no doubt a fair few will get their cards cloned.

[JStone]

Similar story here. The Friday before last I got a phone call from the bank - "Did you just request a large money transfer from your credit card account?". Account blocked, new cards issued.

[Chrisheg]

I heard the same thing from a friend in Audax Kanagawa. A dozen or more Japanese riders had the credit card numbers used for PBP registration stolen.

[Datameister]

Whilst I didn't do PBP, I did pay for Fungus.

Klik&Pay does not have details for any of my e-mail addresses I could have used. Any ideas?

On the phone to Barclaycard, I suppose.

[Phil21]

Thanks for the heads up!

Just changed my pwd (the idiots mail it to you in plain text....aargh) and deleted my email address.

Of course, this doesn't actually guarantee that the details are gone from their server, there's probably an audit table or backup somewhere.

[Manotea]

K&P have come back to me to confirm my account is closed.

They are aware of English & German Audax users closing their account, commenting, "Klik & Pay is processing payments since 10 years without any trouble and we present all guaranties for a payment gateway. We are PCI/DSS, Verified by MacAfee. We are also ISO 27001 and the gateway is under Thawte certificate. All these securities are the guaranty of non hacking of information on our gateway."

I'm not aware of any issues with my credit card account but feel it is good housekeeping to close the K&P account. The only reason for opening the account was to enable PBP payment and it is unlikely I will use it for another four years.

[border-rider]

One issue may be that KlikAndPay sent out the login info & password by email, in the same email. That's not exactly secure...

[Jedrik]

I paid the PBP for myself and a friend with the card that someone got some flight tickets with last week - without prior testing the waters, which I find a bit odd. Caught it myself two days later when checking my bank balance and had the card invalidated right away.

[border-rider]

Well, I went in to my details etc. and there were no bank details quoted anyway,

+1. I removed my address details but there's no financial info there. No obvious way to delete the account though