back to article No Wiggle room: Two weeks after angry bike shop customers report mystery orders on their accounts, firm confirms payment cards delinked

Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves. Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number …

  1. Pascal Monett Silver badge

    There is no breach

    There's just idiots with money who reuse their password.

    They are now learning the hard way that that is something you do not do.

    1. Stuart 22

      Re: There is no breach

      The bigger issue is allowing a retailer to store card details so you can cut 3 nanoseconds off placing your order or having to hunt for the last pocket/wallet you *think* you left the real card in.

      I'm surprised a few retailers do have my credit card details ready despite not wanting them stored. Whether it's because the checkbox was well hidden or I checked when I meant not too (or t'other way round) I've no idea. But it would be good if GDPR could force them to make you go through a few more hoops if you really, really wanted this facility.

      1. MiguelC Silver badge

        Re: There is no breach

        Easily averted if you take care to always use one time virtual cards. Even if they keep you card number against your will (or attention), there will be no problem whatsoever.

        1. david 12

          Re: There is no breach

          I would use one time virtual cards if any were available in my market. Which bank / supplier is providing virtual cards?

          1. BebopWeBop Silver badge

            Re: There is no breach

            which market?

          2. KittenHuffer Silver badge
            Joke

            Re: There is no breach

            Please forward me your login and password to your bank and I will get those virtual card numbers sorted for you!

          3. Anonymous Coward
            Anonymous Coward

            Re: There is no breach

            Revolut do virtual cards.

            1. James 139

              Re: There is no breach

              So they do, but in the UK I'd have to pay £6.99 a month for the priveledge, not worth it for the times I don't use paypal.

              I know the fee includes a whole bunch of other "benefits", but I don't have a use for those.

              1. Captain Scarlet Silver badge
                Mushroom

                Re: There is no breach

                Yup have to agree and having tried 2 prepaid credit cards I found they tended to refuse to be used on nearly everything, so I went back to using my normal credit card (Which then rejected and text "You don't normally buy these, did you order these?", YES I DID RRREEEEEHHHHHHHH!, "Thanks, you might want to try the payment again"). Damnit that order for Argos/Dunelm was infuriating.

                Its no wonder normal people will just tell the site to save their card details.

                1. James 139

                  Re: There is no breach

                  Most places, that I can recall, at least request you provide the CVV number.

                  Before long, we will be having to deal with online shops just like banks, where an automated system phones/texts to confirm it really is us adding a new address, using a pre-approved phone number that requires access to the existing number to change.

              2. Anonymous Coward
                Anonymous Coward

                Re: There is no breach

                I think you'll find, if you check like I just did, that you can get a virtual ("disposable") card for free (ie. no fee) on Revolut. I'm not advocating for the product, in my original reply I was just observing that the feature is available there because no one else was offering suggestions.

                1. Captain Scarlet Silver badge

                  Re: There is no breach

                  hmm I look at it and "Disposable virtual cards" are not on the "free" package, on the "Free" package you get a single physical card.

                  Feel free to link the exact UK page you see.

            2. david 12

              Re: There is no breach

              The fee isn't outrageous for a credit account, (although they look to be making money on their business accounts) and Revolut has an Australian presence. I'll look further.

          4. James 139

            Re: There is no breach

            This is the same problem I had.

            I opened a Cahoot account, now defunct, because it offered a virtual card, which eventually got withdrawn.

            I then found Neteller, who also eventually stopped providing virtual card services.

            Other banks have "promised" them over the years, but its never come to anything signficant enough for me to notice.

            1. Anonymous Coward
              Anonymous Coward

              Re: There is no breach

              I have two bank accounts. The one with the debit card is normally empty. If it is used for an online purchase - then the correct amount is transferred into it just before the purchase is made.

              1. John H Woods Silver badge

                Re: There is no breach

                "The one with the debit card is normally empty"

                That's a good strategy, but you usually have a *lot* more comeback for online shopping with a credit card than with a debit card.

            2. Anonymous Coward
              Anonymous Coward

              Re: There is no breach

              I still have an account with Cahoot, but can confirm that they dropped their free one time cards.

    2. Doctor Syntax Silver badge

      Re: There is no breach

      "There's just idiots with money who reuse their password."

      Are you sure about that? If was just a matter of reused IDs and passwords it seems unlikely that there'd be a sudden spate of logins. It's not as if Wiggle even make it hard to guess user IDs - a quick look at their login screen indicates that they're email addresses.

      1. John Jennings Bronze badge

        Re: There is no breach

        The issue here is that they stored the CVV number, as well as the core card details.

        Naughty.

        I havent used the site, but it looks like they have tried to offer 'one click' ordering, similar to Amazon.

        I dont know it they prompted to store the details

  2. Chris G Silver badge

    That Lycra suit cost almost as much as my mountain bike did a few years back, I find a normal pair of shorts and a teeshirt adequate for a bit of off road pedaling, never fancied becoming a Lycranthropist.

    1. Shadow Systems Silver badge
      Pint

      At Chris G, re: Lycranthropist.

      Please enjoy a pint with my compliments for making me think of "Lycranthropy" as a form of affliction for cyclists.

      Instead of turning into furry beasts with fangs & claws & bad breath, they gain slick skin, skid marks up their backsides, & *really* bad breath.

      =-)P

      1. Chris G Silver badge

        Re: At Chris G, re: Lycranthropist.

        You are welcome, although I do realise that due to the current sensitivity to words, I may offend a few werewolves.

        If that happens I will try to placate them with a steak through the heart.

        1. Joe W Silver badge

          Re: At Chris G, re: Lycranthropist.

          You have never ridden more than 100km, nor in the rain, I guess. I used to wear lycra shorts because they dry quickly for the commute back, and on longer rides the stuff does not chafe. So do I think I look good in that stuff? Hell, no! Would I wear it off the bike? No.

          1. Chris G Silver badge

            Re: At Chris G, re: Lycranthropist.

            I used to do the 50 odd miles from Bromley, Kent to Hastings and back fairly often in the late sixties early seventies on some weekends. In those days we would wear a cape in the rain, teeshirt and shorts, that was on an old Claude Butler 10 speed bike, not for sport, just to go see a couple of mates who lived down there.

            Now, at my age, I wouldn't like to inflict me in lycra on to the public, plus I don't go far enough.

            1. Joe W Silver badge

              Re: At Chris G, re: Lycranthropist.

              I have to admit I still do like the term lycranthopy...

              Capes? I'd rather not wear them, I get soaked from the inside,which I do find more disgusting than the rain. It all depends on the weather and distance though. Bike commute one hour in Western Norwegian rain: triathlon shorts and a thin rain jacket. Sure, I was soaked, but I changed at work (showered...) and the stuff was mostly dry in the evening.

              1. Jan 0 Silver badge

                Re: At Chris G, re: Lycranthropist.

                A cycling "cape" back then was a real cape: a bag tailored to fit over your head and extend over the handlebars and down your back. It would keep you much drier than a Goretex jacket in a downpour. However, you could get wet from upward splashes. Modern cyclists call thin, fitted, rain jackets capes. (Maybe it's a mistranslation from French or Italian?)

            2. Anonymous Coward
              Anonymous Coward

              Re: At Chris G, re: Lycranthropist.

              I used to do the 50 odd miles from Bromley, Kent to Hastings and back fairly often in the late sixties early seventies on some weekends. In those days we would wear a cape in the rain, teeshirt and shorts, that was on an old Claude Butler 10 speed bike, not for sport, just to go see a couple of mates who lived down there.

              Were you reasonably slim? I remember the dad of a friend of mine telling us that when he used to cycle the 10 miles to school in the 70s, as a fellow man of stature, he used to wrap cellophane around his thighs to avoid chafing.

              Not all of us are built the same, what is fine for some might be impossible for others.

              1. Unoriginal Handle

                Re: At Chris G, re: Lycranthropist.

                Cellophane? Surely wouldn't his thighs have stuck together?

                1. YetAnotherLocksmith

                  Re: At Chris G, re: Lycranthropist.

                  I suspect he wore shorts over the cling wrap. After all, to not do so would've left everyone clearly seeing he's nuts.

            3. ICL1900-G3

              Re: At Chris G, re: Lycranthropist.

              Agreed. Lycra should be illegal for anyone over 21 - and quite a few under!

              1. Anonymous Coward
                Anonymous Coward

                Re: At Chris G, re: Lycranthropist.

                "Lycra should be illegal for anyone over 21 [...]"

                Some of us have a genetic inheritance - plus a streak of self-discipline - that can avoid the corpulence of advancing age. With a BMI of 20.8 and a flat stomach - in my 70s I am as trim as in my twenties - it just takes more effort to maintain that state.

                1. werdsmith Silver badge

                  Re: At Chris G, re: Lycranthropist.

                  Why then, if you have managed to retain good shape into old age, would you humiliate yourself and undo all that good work by wearing lycra?

                  Lycra is a form of clothing designed to provide comedy.

          2. Shadow Systems Silver badge

            ,At Joe W, re: bike riding.

            Actually, I've ridden enough that if I had gotten "frequent flier miles" for it all, then I'd be flying 1st Class for the next few lifetimes.

            I took cycling as my Physical Education class in high school & would often ride 25~50 miles during a single class period. My best friend & I would regularly challenge each other to see whom could ride the fastest the farthest, so when it came time to cycle in class we'd easily double if not *quadruple* the rides of our classmates. Our teacher once tried to time us to find out just how fast we were doing. He had a minion at the halfway point with a walkie talkie that would call in when we arrived, then the teacher would stop the clock when we came back. He was used to the other students barely managing to finish in a single class period, so when my friend & I got to his minion in under ten minutes, he tried to accuse us of cheating. We demanded he get his asson a bike or motorcycle & join us. So he did. The next day he had a Honda Elite scooter & told us to do the ride again. He was *livid* when we hauled ass so fast & far that he had to open the throttle on his scooter to keep up with us, then back off when he realized *we were all exceeding the speed limit for the bike trail*. As in, if we had been on a surface road & doing the same pace, we'd run the risk of getting ticketed by the cops. He backed off & kept us in sight, verified that we hit the midpoint marker in *seven* minutes, and then got back to the start even faster than the previous days' ride. He had to admit we hadn't cheated, gave us our A+'s for the class, & promptly made the two of us go absolutely *last* in any future rides so as to not demoralize the rest of his class.

            He asked us if we rode proffessionally, we said no, but admitted that we would like to. He had us do a speed test on a surface street to determine if we could keep up a similar pace. He went slack jawed when we, a pair of teenagers on mere tenspeeds, easily kept pace with the traffic. Read that again. Granted it was only a 30MPH zone, but we were still keeping pace with the cars as they flowed along. My teacher asked how long we might keep such cadence up to which we replied that, on the bike trail at least, we'd often maintain it for runs from our high school as a starting point, to where the trail ended in either direction, plus the return trip. He did the math. He told us we were full of shit. We challenged him to ride his scooter with us again so we could prove it. He accepted, we did, he stopped claiming we might be full of shit. The only reason we didn't go pro as the teacher had suggested was because the Team Shimano officer we spoke to during the sign up tried to claim that our submitted timing numbers had to be fake. No amount of explaining or telling him to join us on a ride would change his mind. So we gave him TheFinger & continued to ride for the fun of it.

            My little brother & I would regularly do the "Ride for $Event" charity rides, usually 100 miles or more, and could complete them in under a half days' actual riding time. We'd get to sit at the finish line & drink our juice, eat the sandwich, talk to the race organizers, & then ride back to where we started, passing the "leaders" on their way up. Bro & I would be back home & playing board games for the rest of the time, the other riders often requiring a day or two to finish the same trip.

            I cycled to school every day, then later to work, then to college. I cycled daily until I got married & had my own little minions to deal with, at which point I had to buy a car to haul the wife & squirts. But I still cycled on weekends if nothing else, just to stay in shape.

            It wasn't until I went blind & couldn't ride at all before I stopped, and even then I still had my excersize cycle to get my workout upon.

            Rain, shine, Winter snows, any weather you care to name, I've ridden in it & laughed. But not once did I resort to wearing Lycra. Cotton shorts over boxers in warm weather, thermals & denim pants in cold, wet, or other crappy conditions. Chafing was dealt with by a liberl sprinkling of talcum powder, frequent stops to stretch & pull my clothes out of the cracks, & "air out the naughty bits".

            Please don't assume. It makes an ass out of you and me. =-)

            *Hands you a pint to take the sting out of the rebuke*

            Here's to cycling for the love of the ride.

            *Taps rims & pours the liquid over my head to squeal in glee at the ice cold sluicing falling down my knickers*

            Cold! Cold! Col- ICE CUBE! AAAIIIEEEehahahahahahahhhaha...

        2. RM Myers Silver badge
          Joke

          Re: At Chris G, re: Lycranthropist.

          You're going to put a steak through their heart? You must have some really tough meat.

          1. Pen-y-gors Silver badge

            Re: At Chris G, re: Lycranthropist.

            Steak through the heart? Easy. Freeze it first to a nice low temperature then cut to size and hammer away! If you can get some liquid nitrogen it will be pretty solid. I remember a Physics demo when the prof nailed a mercury nail into some wood with a mercury hammer.

            I remember a crime story, victim had been bludgeoned with a heavy blunt object. Cops interviewed wife in kitchen while the previously-frozen chicken was in the oven...

            And in another the the victim was stabbed with an icicle, which duly melted...

            1. Anonymous Coward
              Anonymous Coward

              Re: At Chris G, re: Lycranthropist.

              "[...] the previously-frozen chicken was in the oven..."

              IIRC a leg of lamb - a natural cudgel shape. The cops then accepted her offer to stay for a meal of the roast.

            2. Anonymous Coward
              Anonymous Coward

              Re: At Chris G, re: Lycranthropist.

              "And in another the the victim was stabbed with an icicle, which duly melted..."

              Also there was the story of the ice bullet fired at some distance across a town.

        3. BebopWeBop Silver badge

          Re: At Chris G, re: Lycranthropist.

          think a steak in the mouth might work better.

        4. A.A.Hamilton

          Re: At Chris G, re: Lycranthropist.

          Shum misteak, Shirley?

      2. macjules Silver badge

        Re: At Chris G, re: Lycranthropist.

        Marvellous word for it. My better half was once verbally assailed by an Lycranthrope in Kings Road where he was holding on the back of her (convertible with top down) car and being pulled along. She stopped and asked him to let go at which he put the bike down and launched into a screaming fit at her. Two things happened:

        1) The vehicle behind her was one of those high-sided waste collection trucks with 2 Polish men - one of them grabbed the bike and threw it into the back of the truck while the other gave the by now apoplectic moron his card and told him he could collect when he learned to keep a civil tongue while talking to a lady.

        2) When the screaming subsided he called the police alleging he had been attacked by my wife and she (not the Poles) had stolen his £5,000 Porsche racing bicycle. He was given a 30 days suspended jail sentence for making a false allegation and settled out of court with my wife for £2,000 and a truly grovelling letter of apology after she wrote to his employer requesting his dismissal.

        Must have been hard for him to walk home on those designer cycling shoes though ...

        1. BebopWeBop Silver badge

          Re: At Chris G, re: Lycranthropist.

          A Porsche roadbike?

          1. macjules Silver badge

            Re: At Chris G, re: Lycranthropist.

            Here

            A tad more expensive than they were 12 years ago.

          2. Anonymous IV
            Headmaster

            Re: At Chris G, re: Lycranthropist.

            > A Porsche roadbike?

            Yes, they made them for a short period (2010 or earlier?) "for the man who has everything". It would have been a man, too.

            I suspect that it was a rebadged (and repriced!) version of a bike from a high-end manufacturer, like Bike Friday or Riese & Müller.

            I think they soon realised that riding a Porsche bike didn't have the same cachet and took considerably more effort than sitting in a Porsche car. And the bikes rapidly got stolen by nefarious individuals, however good a lock you put on them...

            1. Anonymous Coward
              Anonymous Coward

              Re: At Chris G, re: Lycranthropist.

              "however good a lock you put on them..."

              A cycling friend said that the lighter a bike - the more expensive it was. Therefore the lighter the bike - the heavier the security lock you had to carry on it.

        2. Headless Roland
          Pint

          Re: At Chris G, re: Lycranthropist.

          Gots to wonder how many retellings this went through in the pub before it got here... Unless there was a really determined campaign by the cyclist I can't imagine the DPP getting involved here. The wazzock on the bike might have been slapped with a FPN but a summary judgement?! A charming folk tale.

          Moreover, Porsche have never manufactured a "racing" bike, though anyone who bought any of their bikes has more money than sense so that at least seems consistent.

          1. werdsmith Silver badge

            Re: At Chris G, re: Lycranthropist.

            Like many anecdotes on here. Brothers Grimm....

    2. Warm Braw Silver badge

      If you had an aerodynamically sculptured helmet, though, a figure-hugging bodysuit would allow its novelty to be better appreciated.

    3. Anonymous Coward Silver badge
      Holmes

      Well obviously you don't wear lycra; for off-roading rule 18 of the velominati applies:

      Rule #18 // Know what to wear. Don’t suffer kit confusion.No baggy shorts and jerseys while riding the road bike. No lycra when riding the mountain bike (unless racing XC). Skin suits only for cyclocross.

      1. Anonymous Coward
        Anonymous Coward

        Rule #1 // Know what to wear. Don’t suffer kit confusion. Baggy shorts and jerseys while riding any bike. No lycra when riding any bike.

        my road bike has x15 & x12 thru axles & shimano disk brakes for maximum compatibility to my mountain bikes & means i have a load of spares from wheels, spokes, pads cassettes etc.

      2. Anonymous Coward
        Anonymous Coward

        "No baggy shorts and jerseys while riding the road bike. "

        The Naked Bike Ride cyclists obey that rule.

  3. Phil S
    Windows

    Not Wiggle's fault?

    I forgot I had a Wiggle account, but my bank sent me a message last night with an authorisation code for £111.73 (oddly specific price, but whatever) for some trainers from them.

    I went to the site and saw the trainers in my basket, a new delivery address (I'm assuming DE in US is Delaware?), and new phone number registered. Changed password to boot them out, took some screenshots and checked all was ok. Luckily it was.

    Going through a password check, for some reason I had Wiggle as the only site with card details using a burner password I use for sites I need to login to see something as a one-off (read a pdf, get a whitepaper etc).

    I did know that list had been compromised thanks to the lovely chap at HaveIBeenPwned, but when I'd looked through the 80+ sites it was used for, I missed Wiggle (probably due to being in alphabetic order, and my own lack of concentration).

    Totally my own fault, and wouldn't have blamed Wiggle at all if it got through, but, thankfully I've got the authentication for payments set up which caught it.

    Most annoying thing was trying to report it to "someone" in case others had been as daft as me. Action Fraud site had categories that this didn't fit into, bank aren't answering phones (and they did their bit), and as far as I was concerned, Wiggle hadn't done anything wrong.

    I got away with it, no thanks to my own laxness at some point, but thankfully it's not been as expensive reminder for me. As a self-punishment I'm making myself change the other non-card-linked passwords, so that'll be a fun weekend!

    1. TheMeerkat Bronze badge

      Re: Not Wiggle's fault?

      The issue here is that they did not ask the buyer to put card details again when they were asked to deliver to a new address.

      1. BoredTyke

        Re: Not Wiggle's fault?

        That's a fair shout - I hadn't considered that (spot the non-IT pro in the room!).

        Though I'm now wondering if I've had to do that when sending stuff from other sites to other addresses (emergency kids books when staying a my parents etc..)?

        Thanks for clearing it up - I need to brush up my thinking!

        1. YetAnotherLocksmith

          Re: Not Wiggle's fault?

          What is even more worrying is that the dozens of customers moving to the USA and placing big orders at the same time didn't trigger any sort of fraud response! Surely someone in packing should've also noticed that the complex US shipping addresses were all in the same town, too?

  4. Pen-y-gors Silver badge

    Delivered to?

    I assume the addresses for delivery aren't the actual home address of the scumbags, but they are a physical address. So, given the lead time, should not law enforcement have been staking some of the addresses out to nab whoever turns up to make the collection, even if they're just mules?

    1. John Jennings Bronze badge

      Re: Delivered to?

      the Fedarales are likely a little more busy in the US at the moment - more interested in 'direct acquisitions' during the last 3 weeks, than some small time cyberheist.

  5. chivo243 Silver badge
    Devil

    colorful body hugging outfits!

    Tell me again, which super hero are you supposed to be? I see you got the memo about no Capes!

  6. Donn Bly

    Password Reuse? How about defense-in-depth?

    All indications are that this was a "password re-use attack". It would be very interesting to see if a post-mortem can tie a high percentage of these accounts to one or more of the recent password dumps -- or even an old one such as Linked In.

    However, we need to start demanding more defense-in-depth when it comes to e-commerce sites. Banning the storage of credit card details would be the most secure, but would not be consumer-friendly (think monthly subscriptions or sites where orders are placed frequently) so we need to find a middle ground.

    I would start by requiring informed consent from the cardholder before allowing card information to retained for future purchases - something like a totally separate opt-in page and not just an opt-in or out-out checkbox on a shopping cart. This should be followed up with requiring multi-factor authentication before using any retained credit card information and/or requiring that any orders placed with a stored credit card are only shipped to the billing address.

    The technology is already there, and multi-factor doesn't mean you have to use an authenticator app -- it could be something as simple as sending an email to a pre-registered email address with instructions and a pin # to release the order.

    This doesn't even require legislation - all the payment processing companies have to do is put it in their contracts and ENFORCE it, holding the store owners financially responsible for any suspected fraud that occurs without following the contracted requirements. That way at least consumers have protection, and the protections would be consistent across government jurisdictions.

  7. tip pc Silver badge

    Are chainreaction impacted too?

    Chain reaction & Wiggle merged back in 2018

    Anyone know if they are suffering from this too?

    https://www.cyclingweekly.com/news/latest-news/wiggle-and-chain-reaction-cycles-officially-announce-merger-211765

    Fairly sure I changed my crc password a few months ago, just changed wiggle now. Been a few years since I purchased anything from wiggle. I’m considering blocking chain reaction in Pihole because I spend too much on there, eagle gx dub @ £269 was too good to resist last month.

    1. Hikaru

      Re: Are chainreaction impacted too?

      CRC was compromised back in ~2011. During that I had 2.3k taken which thankfully my bank returned in full.

      https://www.theregister.com/2011/03/17/cc_fraud_follows_bike_store_purchases/

  8. hatti

    Just saying

    Lycra and beer bellies do not a good combination make

    1. BebopWeBop Silver badge

      Re: Just saying

      Oh, I don't know - they may encourage the carrier to reconsider their diet.

    2. Terry Barnes

      Re: Just saying

      Yet no-one complains at well-built middle aged folk wearing football kits while drinking their own weight in lager at the pub.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just saying

        Yes they do!

        Heck, we have just had some fairly big protests against them. Not all fash, are fashionable. Many just go with tight stretched football apparel.

  9. all ears

    Where's that picture from?

    I don't know if that was 'shopped, done by a stunt man, or actually happened that way, but I sure hope that guy's OK!

  10. Muscleguy Silver badge

    Lycra

    Nobody actually wears lycra any more. It wasn’t technical, the new technical fabrics have different branding. I have used Wiggle for running stuff, they don’t just do bikes, catering for the tri crowd as well. Not been there in years but and I don’t reuse pwords.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lycra

      "Nobody actually wears lycra any more."

      In some contexts the brand name Lycra has become a catch-all for the similar properties of other synthetic fabrics. Much the same as "hoover", "petrol", "aspirin"....

  11. T 7

    I think it is rather optimistic of the hapless souls that have been charged to think that the goods will be delivered to the fraudsters. Wiggle use Hermes, which is why as a lycra-clad carbon bike riding not quite MA-MIL I left them and asked them to delete my data last year. Any fraudster relying on hermes to deliver their ill gotten wares might need to reconsider their plans.

    1. YetAnotherLocksmith

      I guess that's why they are having the goods posted to the USA then - faster delivery!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020