Jump to content

Hy-Vee Security Breach


Matt Christian

Recommended Posts

I discussed this in my security community last week as it came across our internal alerts.  The chip & signature is designed to prevent this by adopting an ADPU command sequence instead of using static values, and the only data in transit from the card reader to the server is a single transaction encrypted block.  It cannot be replayed.

 

Since this is a Tesla forum, I doubt anyone here is affected by using their pay-at-the-pump platform as cited in the article.  Where it does come into play is at the Market Grille.  If you check your receipts and see "EMV" or "chip" you're fine.  I wish the article had given more detail as to the time frame of the transactions. 

 

  • Thanks 1
Link to comment
Share on other sites

3 hours ago, Vexar said:

I discussed this in my security community last week as it came across our internal alerts.  The chip & signature is designed to prevent this by adopting an ADPU command sequence instead of using static values, and the only data in transit from the card reader to the server is a single transaction encrypted block.  It cannot be replayed.

In my security circles we just talked about how it was about time this happened.

 

Chip alone won't save us, and chip+pin is a hassle for so many folks (and the idea that PIN for debit where you lose some of your protection is just shitty) that they just cancel right through it. Hell, my CU gives me money every month to *not* enter my PIN or use my card as a debit card.

Link to comment
Share on other sites

The article said somewhat un-clearly it was not their chip readers, only their mag stripe readers, so maybe we are not in agreement there?  Chip & PIN costs seconds that most retailers don't want to spend, and some don't even seek a signature.  They literally price out the fraud cost and the labor cost / buyer delay and would rather take the risk.  I find that revolting.  I won't post it publicly, but ask me about 1-800 FLOWERS if the occasion presents itself.  There are worse stories about managing risk!

 

What I find interesting is that a tier 1 merchant was able to get away with not having chip readers on every system in their infrastructure. 

 

Sounds like a funky credit union.  Yeah, always use your Debit card as a VISA/Mastercard.  When you use it in debit mode, well, let's just assume that such transaction information is more valuable to identity thieves. 

 

Link to comment
Share on other sites

7 hours ago, Vexar said:

Sounds like a funky credit union.  Yeah, always use your Debit card as a VISA/Mastercard.  When you use it in debit mode, well, let's just assume that such transaction information is more valuable to identity thieves. 

Nah, debit transactions aren't protected the same.

 

https://money.cnn.com/2013/12/20/pf/expert/debit-credit-cards/index.html is just one of the items, and the recovery of your funds can take a very long time.

 

I mean, largest credit union in MN can't be that funky, amiright?

Link to comment
Share on other sites

I may be missing something here.  If you use your debit card on the ... VISA network and don't punch in a PIN, is it a credit card purchase or a debit purchase?  Doesn't that depend on how your bank has it set up? 

 

True about debit fraud.  Nobody notices that detail until it's a problem.

Link to comment
Share on other sites

19 hours ago, Vexar said:

I may be missing something here.  If you use your debit card on the ... VISA network and don't punch in a PIN, is it a credit card purchase or a debit purchase?  Doesn't that depend on how your bank has it set up? 

Yes, exactly.

 

No PIN it is CC, with PIN it is debit.


Has been this way forever.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...