No Wiggle room: Two weeks after angry bike shop customers report mystery orders on their accounts, firm confirms payment cards delinked Brit cycling equipment shop Wiggle confirmed to The Reg today it was delinking customers' payment cards from their accounts, two weeks after first receiving complaints that orders were appearing on customers' accounts that they had not made themselves. Ross Clemmow, CEO at Wiggle, told The Reg: "[W]e understand a small number …
The bigger issue is allowing a retailer to store card details so you can cut 3 nanoseconds off placing your order or having to hunt for the last pocket/wallet you *think* you left the real card in.
I'm surprised a few retailers do have my credit card details ready despite not wanting them stored. Whether it's because the checkbox was well hidden or I checked when I meant not too (or t'other way round) I've no idea. But it would be good if GDPR could force them to make you go through a few more hoops if you really, really wanted this facility.
Yup have to agree and having tried 2 prepaid credit cards I found they tended to refuse to be used on nearly everything, so I went back to using my normal credit card (Which then rejected and text "You don't normally buy these, did you order these?", YES I DID RRREEEEEHHHHHHHH!, "Thanks, you might want to try the payment again"). Damnit that order for Argos/Dunelm was infuriating.
Its no wonder normal people will just tell the site to save their card details.
Most places, that I can recall, at least request you provide the CVV number.
Before long, we will be having to deal with online shops just like banks, where an automated system phones/texts to confirm it really is us adding a new address, using a pre-approved phone number that requires access to the existing number to change.
I think you'll find, if you check like I just did, that you can get a virtual ("disposable") card for free (ie. no fee) on Revolut. I'm not advocating for the product, in my original reply I was just observing that the feature is available there because no one else was offering suggestions.
This is the same problem I had.
I opened a Cahoot account, now defunct, because it offered a virtual card, which eventually got withdrawn.
I then found Neteller, who also eventually stopped providing virtual card services.
Other banks have "promised" them over the years, but its never come to anything signficant enough for me to notice.
"There's just idiots with money who reuse their password."
Are you sure about that? If was just a matter of reused IDs and passwords it seems unlikely that there'd be a sudden spate of logins. It's not as if Wiggle even make it hard to guess user IDs - a quick look at their login screen indicates that they're email addresses.
Please enjoy a pint with my compliments for making me think of "Lycranthropy" as a form of affliction for cyclists.
Instead of turning into furry beasts with fangs & claws & bad breath, they gain slick skin, skid marks up their backsides, & *really* bad breath.
=-)P
You have never ridden more than 100km, nor in the rain, I guess. I used to wear lycra shorts because they dry quickly for the commute back, and on longer rides the stuff does not chafe. So do I think I look good in that stuff? Hell, no! Would I wear it off the bike? No.
I used to do the 50 odd miles from Bromley, Kent to Hastings and back fairly often in the late sixties early seventies on some weekends. In those days we would wear a cape in the rain, teeshirt and shorts, that was on an old Claude Butler 10 speed bike, not for sport, just to go see a couple of mates who lived down there.
Now, at my age, I wouldn't like to inflict me in lycra on to the public, plus I don't go far enough.
I have to admit I still do like the term lycranthopy...
Capes? I'd rather not wear them, I get soaked from the inside,which I do find more disgusting than the rain. It all depends on the weather and distance though. Bike commute one hour in Western Norwegian rain: triathlon shorts and a thin rain jacket. Sure, I was soaked, but I changed at work (showered...) and the stuff was mostly dry in the evening.
A cycling "cape" back then was a real cape: a bag tailored to fit over your head and extend over the handlebars and down your back. It would keep you much drier than a Goretex jacket in a downpour. However, you could get wet from upward splashes. Modern cyclists call thin, fitted, rain jackets capes. (Maybe it's a mistranslation from French or Italian?)
I used to do the 50 odd miles from Bromley, Kent to Hastings and back fairly often in the late sixties early seventies on some weekends. In those days we would wear a cape in the rain, teeshirt and shorts, that was on an old Claude Butler 10 speed bike, not for sport, just to go see a couple of mates who lived down there.
Were you reasonably slim? I remember the dad of a friend of mine telling us that when he used to cycle the 10 miles to school in the 70s, as a fellow man of stature, he used to wrap cellophane around his thighs to avoid chafing.
Not all of us are built the same, what is fine for some might be impossible for others.
"Lycra should be illegal for anyone over 21 [...]"
Some of us have a genetic inheritance - plus a streak of self-discipline - that can avoid the corpulence of advancing age. With a BMI of 20.8 and a flat stomach - in my 70s I am as trim as in my twenties - it just takes more effort to maintain that state.
Actually, I've ridden enough that if I had gotten "frequent flier miles" for it all, then I'd be flying 1st Class for the next few lifetimes.
I took cycling as my Physical Education class in high school & would often ride 25~50 miles during a single class period. My best friend & I would regularly challenge each other to see whom could ride the fastest the farthest, so when it came time to cycle in class we'd easily double if not *quadruple* the rides of our classmates. Our teacher once tried to time us to find out just how fast we were doing. He had a minion at the halfway point with a walkie talkie that would call in when we arrived, then the teacher would stop the clock when we came back. He was used to the other students barely managing to finish in a single class period, so when my friend & I got to his minion in under ten minutes, he tried to accuse us of cheating. We demanded he get his asson a bike or motorcycle & join us. So he did. The next day he had a Honda Elite scooter & told us to do the ride again. He was *livid* when we hauled ass so fast & far that he had to open the throttle on his scooter to keep up with us, then back off when he realized *we were all exceeding the speed limit for the bike trail*. As in, if we had been on a surface road & doing the same pace, we'd run the risk of getting ticketed by the cops. He backed off & kept us in sight, verified that we hit the midpoint marker in *seven* minutes, and then got back to the start even faster than the previous days' ride. He had to admit we hadn't cheated, gave us our A+'s for the class, & promptly made the two of us go absolutely *last* in any future rides so as to not demoralize the rest of his class.
He asked us if we rode proffessionally, we said no, but admitted that we would like to. He had us do a speed test on a surface street to determine if we could keep up a similar pace. He went slack jawed when we, a pair of teenagers on mere tenspeeds, easily kept pace with the traffic. Read that again. Granted it was only a 30MPH zone, but we were still keeping pace with the cars as they flowed along. My teacher asked how long we might keep such cadence up to which we replied that, on the bike trail at least, we'd often maintain it for runs from our high school as a starting point, to where the trail ended in either direction, plus the return trip. He did the math. He told us we were full of shit. We challenged him to ride his scooter with us again so we could prove it. He accepted, we did, he stopped claiming we might be full of shit. The only reason we didn't go pro as the teacher had suggested was because the Team Shimano officer we spoke to during the sign up tried to claim that our submitted timing numbers had to be fake. No amount of explaining or telling him to join us on a ride would change his mind. So we gave him TheFinger & continued to ride for the fun of it.
My little brother & I would regularly do the "Ride for $Event" charity rides, usually 100 miles or more, and could complete them in under a half days' actual riding time. We'd get to sit at the finish line & drink our juice, eat the sandwich, talk to the race organizers, & then ride back to where we started, passing the "leaders" on their way up. Bro & I would be back home & playing board games for the rest of the time, the other riders often requiring a day or two to finish the same trip.
I cycled to school every day, then later to work, then to college. I cycled daily until I got married & had my own little minions to deal with, at which point I had to buy a car to haul the wife & squirts. But I still cycled on weekends if nothing else, just to stay in shape.
It wasn't until I went blind & couldn't ride at all before I stopped, and even then I still had my excersize cycle to get my workout upon.
Rain, shine, Winter snows, any weather you care to name, I've ridden in it & laughed. But not once did I resort to wearing Lycra. Cotton shorts over boxers in warm weather, thermals & denim pants in cold, wet, or other crappy conditions. Chafing was dealt with by a liberl sprinkling of talcum powder, frequent stops to stretch & pull my clothes out of the cracks, & "air out the naughty bits".
Please don't assume. It makes an ass out of you and me. =-)
*Hands you a pint to take the sting out of the rebuke*
Here's to cycling for the love of the ride.
*Taps rims & pours the liquid over my head to squeal in glee at the ice cold sluicing falling down my knickers*
Cold! Cold! Col- ICE CUBE! AAAIIIEEEehahahahahahahhhaha...
Steak through the heart? Easy. Freeze it first to a nice low temperature then cut to size and hammer away! If you can get some liquid nitrogen it will be pretty solid. I remember a Physics demo when the prof nailed a mercury nail into some wood with a mercury hammer.
I remember a crime story, victim had been bludgeoned with a heavy blunt object. Cops interviewed wife in kitchen while the previously-frozen chicken was in the oven...
And in another the the victim was stabbed with an icicle, which duly melted...
Marvellous word for it. My better half was once verbally assailed by an Lycranthrope in Kings Road where he was holding on the back of her (convertible with top down) car and being pulled along. She stopped and asked him to let go at which he put the bike down and launched into a screaming fit at her. Two things happened:
1) The vehicle behind her was one of those high-sided waste collection trucks with 2 Polish men - one of them grabbed the bike and threw it into the back of the truck while the other gave the by now apoplectic moron his card and told him he could collect when he learned to keep a civil tongue while talking to a lady.
2) When the screaming subsided he called the police alleging he had been attacked by my wife and she (not the Poles) had stolen his £5,000 Porsche racing bicycle. He was given a 30 days suspended jail sentence for making a false allegation and settled out of court with my wife for £2,000 and a truly grovelling letter of apology after she wrote to his employer requesting his dismissal.
Must have been hard for him to walk home on those designer cycling shoes though ...
> A Porsche roadbike?
Yes, they made them for a short period (2010 or earlier?) "for the man who has everything". It would have been a man, too.
I suspect that it was a rebadged (and repriced!) version of a bike from a high-end manufacturer, like Bike Friday or Riese & Müller.
I think they soon realised that riding a Porsche bike didn't have the same cachet and took considerably more effort than sitting in a Porsche car. And the bikes rapidly got stolen by nefarious individuals, however good a lock you put on them...
Gots to wonder how many retellings this went through in the pub before it got here... Unless there was a really determined campaign by the cyclist I can't imagine the DPP getting involved here. The wazzock on the bike might have been slapped with a FPN but a summary judgement?! A charming folk tale.
Moreover, Porsche have never manufactured a "racing" bike, though anyone who bought any of their bikes has more money than sense so that at least seems consistent.
Well obviously you don't wear lycra; for off-roading rule 18 of the velominati applies:
Rule #18 // Know what to wear. Don’t suffer kit confusion.No baggy shorts and jerseys while riding the road bike. No lycra when riding the mountain bike (unless racing XC). Skin suits only for cyclocross.
Rule #1 // Know what to wear. Don’t suffer kit confusion. Baggy shorts and jerseys while riding any bike. No lycra when riding any bike.
my road bike has x15 & x12 thru axles & shimano disk brakes for maximum compatibility to my mountain bikes & means i have a load of spares from wheels, spokes, pads cassettes etc.
I forgot I had a Wiggle account, but my bank sent me a message last night with an authorisation code for £111.73 (oddly specific price, but whatever) for some trainers from them.
I went to the site and saw the trainers in my basket, a new delivery address (I'm assuming DE in US is Delaware?), and new phone number registered. Changed password to boot them out, took some screenshots and checked all was ok. Luckily it was.
Going through a password check, for some reason I had Wiggle as the only site with card details using a burner password I use for sites I need to login to see something as a one-off (read a pdf, get a whitepaper etc).
I did know that list had been compromised thanks to the lovely chap at HaveIBeenPwned, but when I'd looked through the 80+ sites it was used for, I missed Wiggle (probably due to being in alphabetic order, and my own lack of concentration).
Totally my own fault, and wouldn't have blamed Wiggle at all if it got through, but, thankfully I've got the authentication for payments set up which caught it.
Most annoying thing was trying to report it to "someone" in case others had been as daft as me. Action Fraud site had categories that this didn't fit into, bank aren't answering phones (and they did their bit), and as far as I was concerned, Wiggle hadn't done anything wrong.
I got away with it, no thanks to my own laxness at some point, but thankfully it's not been as expensive reminder for me. As a self-punishment I'm making myself change the other non-card-linked passwords, so that'll be a fun weekend!
That's a fair shout - I hadn't considered that (spot the non-IT pro in the room!).
Though I'm now wondering if I've had to do that when sending stuff from other sites to other addresses (emergency kids books when staying a my parents etc..)?
Thanks for clearing it up - I need to brush up my thinking!
What is even more worrying is that the dozens of customers moving to the USA and placing big orders at the same time didn't trigger any sort of fraud response! Surely someone in packing should've also noticed that the complex US shipping addresses were all in the same town, too?
I assume the addresses for delivery aren't the actual home address of the scumbags, but they are a physical address. So, given the lead time, should not law enforcement have been staking some of the addresses out to nab whoever turns up to make the collection, even if they're just mules?
All indications are that this was a "password re-use attack". It would be very interesting to see if a post-mortem can tie a high percentage of these accounts to one or more of the recent password dumps -- or even an old one such as Linked In.
However, we need to start demanding more defense-in-depth when it comes to e-commerce sites. Banning the storage of credit card details would be the most secure, but would not be consumer-friendly (think monthly subscriptions or sites where orders are placed frequently) so we need to find a middle ground.
I would start by requiring informed consent from the cardholder before allowing card information to retained for future purchases - something like a totally separate opt-in page and not just an opt-in or out-out checkbox on a shopping cart. This should be followed up with requiring multi-factor authentication before using any retained credit card information and/or requiring that any orders placed with a stored credit card are only shipped to the billing address.
The technology is already there, and multi-factor doesn't mean you have to use an authenticator app -- it could be something as simple as sending an email to a pre-registered email address with instructions and a pin # to release the order.
This doesn't even require legislation - all the payment processing companies have to do is put it in their contracts and ENFORCE it, holding the store owners financially responsible for any suspected fraud that occurs without following the contracted requirements. That way at least consumers have protection, and the protections would be consistent across government jurisdictions.
Chain reaction & Wiggle merged back in 2018
Anyone know if they are suffering from this too?
https://www.cyclingweekly.com/news/latest-news/wiggle-and-chain-reaction-cycles-officially-announce-merger-211765
Fairly sure I changed my crc password a few months ago, just changed wiggle now. Been a few years since I purchased anything from wiggle. I’m considering blocking chain reaction in Pihole because I spend too much on there, eagle gx dub @ £269 was too good to resist last month.
I think it is rather optimistic of the hapless souls that have been charged to think that the goods will be delivered to the fraudsters. Wiggle use Hermes, which is why as a lycra-clad carbon bike riding not quite MA-MIL I left them and asked them to delete my data last year. Any fraudster relying on hermes to deliver their ill gotten wares might need to reconsider their plans.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
