Matt Christian Posted August 26, 2019 Share Posted August 26, 2019 Bad news for Hy-Vee, the local MN Tesla supercharger host/partner. If you've used your credit/debit card at a Hy-Vee Supermarket recently then you may need to replace that plastic with new numbers soon. Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards 1 Quote Link to comment Share on other sites More sharing options...
mike Posted August 26, 2019 Share Posted August 26, 2019 I posted this around when it happened - didn't think to post it here - thanks! Quote Link to comment Share on other sites More sharing options...
Vexar Posted August 27, 2019 Share Posted August 27, 2019 I discussed this in my security community last week as it came across our internal alerts. The chip & signature is designed to prevent this by adopting an ADPU command sequence instead of using static values, and the only data in transit from the card reader to the server is a single transaction encrypted block. It cannot be replayed. Since this is a Tesla forum, I doubt anyone here is affected by using their pay-at-the-pump platform as cited in the article. Where it does come into play is at the Market Grille. If you check your receipts and see "EMV" or "chip" you're fine. I wish the article had given more detail as to the time frame of the transactions. 1 Quote Link to comment Share on other sites More sharing options...
mike Posted August 27, 2019 Share Posted August 27, 2019 3 hours ago, Vexar said: I discussed this in my security community last week as it came across our internal alerts. The chip & signature is designed to prevent this by adopting an ADPU command sequence instead of using static values, and the only data in transit from the card reader to the server is a single transaction encrypted block. It cannot be replayed. In my security circles we just talked about how it was about time this happened. Chip alone won't save us, and chip+pin is a hassle for so many folks (and the idea that PIN for debit where you lose some of your protection is just shitty) that they just cancel right through it. Hell, my CU gives me money every month to *not* enter my PIN or use my card as a debit card. Quote Link to comment Share on other sites More sharing options...
Vexar Posted August 28, 2019 Share Posted August 28, 2019 The article said somewhat un-clearly it was not their chip readers, only their mag stripe readers, so maybe we are not in agreement there? Chip & PIN costs seconds that most retailers don't want to spend, and some don't even seek a signature. They literally price out the fraud cost and the labor cost / buyer delay and would rather take the risk. I find that revolting. I won't post it publicly, but ask me about 1-800 FLOWERS if the occasion presents itself. There are worse stories about managing risk! What I find interesting is that a tier 1 merchant was able to get away with not having chip readers on every system in their infrastructure. Sounds like a funky credit union. Yeah, always use your Debit card as a VISA/Mastercard. When you use it in debit mode, well, let's just assume that such transaction information is more valuable to identity thieves. Quote Link to comment Share on other sites More sharing options...
mike Posted August 28, 2019 Share Posted August 28, 2019 7 hours ago, Vexar said: Sounds like a funky credit union. Yeah, always use your Debit card as a VISA/Mastercard. When you use it in debit mode, well, let's just assume that such transaction information is more valuable to identity thieves. Nah, debit transactions aren't protected the same. https://money.cnn.com/2013/12/20/pf/expert/debit-credit-cards/index.html is just one of the items, and the recovery of your funds can take a very long time. I mean, largest credit union in MN can't be that funky, amiright? Quote Link to comment Share on other sites More sharing options...
Vexar Posted August 28, 2019 Share Posted August 28, 2019 I may be missing something here. If you use your debit card on the ... VISA network and don't punch in a PIN, is it a credit card purchase or a debit purchase? Doesn't that depend on how your bank has it set up? True about debit fraud. Nobody notices that detail until it's a problem. Quote Link to comment Share on other sites More sharing options...
mike Posted August 29, 2019 Share Posted August 29, 2019 19 hours ago, Vexar said: I may be missing something here. If you use your debit card on the ... VISA network and don't punch in a PIN, is it a credit card purchase or a debit purchase? Doesn't that depend on how your bank has it set up? Yes, exactly. No PIN it is CC, with PIN it is debit. Has been this way forever. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.