Midwest Supplies

[vja3]

Been lurking around here since I started my homebrew hobby about 3 months ago, but wanted to contribute here. I received some fraudulent charges on a credit card yesterday morning. There are only 4 places that card could have been compromised, and one of them was Midwest Supplies. Obviously, that doesn't prove anything. But it's sure starting to look like they might have had a security breach.

Also, I just logged into my account now and notice that the credit card in question was saved to my account. I'll contact them as well with this report.

 

[LaurieGator]

I also had some fraudulent charges on Friday from some spanish sounding place... Also ordered from Midwest a few weeks ago...

Gave them a call and gave them my information...

 

[whoaru99]

Used a card there in person a few days ago. Will keep an eye on my account.

For online purchases I have gone to using virtual card numbers that have a fixed dollar value you set for each one you generate. Additionally, you can add a time limit to it as well. Once the value (or time) is gone the number is done. Mine is done though Citi.

 

[unionrdr]

I also had some fraudulent charges on Friday from some spanish sounding place... Also ordered from Midwest a few weeks ago...

Gave them a call and gave them my information...

I get calls on my cell from one that sounds like that. they try to act like there's a problem with my card & they need to get mine. Sha,right. they never once mentioned being affiliated with the company the card is from.
You can type the number into the window at the top of the browser & it'll take you to a site where folks report such things that happen by phone. Good thing to know.
As I said,if they use paypal on their site,so do I. no problems so far.

 

[Marmike600]

I actually had some charges to my account that B of A called to let me know happened Wednesday night. They ordered some Adobe products and one chargeto a game company in the UK. Been a while since I've ordered from Midwest but I guess it's a possibility

I JUST had the same thing!! $200 to a game company in the UK. I just purchased more stuff from Midwest too!

My card is thru NavyFCU. I have contacted Midwest to let them know. Fortunately NFCU has a good fraud dept.

 

[unionrdr]

with me it was some local stores with the same card that the company investgated. got my money back,new card with new numbers & new account number. Even changed the passwords & such. they were very willing to fix the problem,thinking it could spred to other customers. good thing that I didn't mind doing to help make things better.
And that capitol one thing was def a mistake I'll not repeat. Lost more money with them that they wouldn't re-emburse. good by capitol one.
But using paypal with midwest has been great so far. Just switch to paypal,since many on line sites use it now. More protection & def more recourse if things do happen to go south.

 

[Mozart]

I've never ordered from Midwest, but just want to point out that, this forum being dedicated to homebrewing, one would expect that a lot of people on this forum would do business with Midwest, simply by virtue of what they sell.

I'm not saying Midwest doesn't have a problem. I don't know. Just saying that as a group we should be cautious concluding that they do from anecdotal evidence.

If ten HBT members had their credit cards compromised, randomly, from different sources, how many do we think could point to Midwest as a common place they've used the card?

 

[unionrdr]

Hard to say with any certainty. Info goes back & forth as small packets,& are easily intercepted anywhere along the route they take to get where they're supposed to go. so that makes it hard to blaim midwest or any one entity absolutely.

 

[PhillyMike]

I had ordered from Midwest and a few days later had my card hacked as well. I hope Midwest can identify and correct the problem.

 

[ECUmedford]

I've never ordered from Midwest, but just want to point out that, this forum being dedicated to homebrewing, one would expect that a lot of people on this forum would do business with Midwest, simply by virtue of what they sell.

I'm not saying Midwest doesn't have a problem. I don't know. Just saying that as a group we should be cautious concluding that they do from anecdotal evidence.

If ten HBT members had their credit cards compromised, randomly, from different sources, how many do we think could point to Midwest as a common place they've used the card?

This thread has had 586 views (100 are probably mine) and so far there are 10 MW customers that have had their credit card info compromised within the same 4 day period. In my 13 years of credit card ownership and purchasing online, I have never had this happen to me before. Not sure how often this happens for everyone else on this forum but I don't think this is a coincidence.

 

[ECUmedford]

My dad and I both had huge fraudulent charges on our credit cards Friday July 5th. Our banks called us to let us know about them.

The only place we both order from is Midwest Supply. So we suspect that they are the source and perhaps have had a security breach. The timing of both of us having this issue is not coincidental.

Has any other Midwest customers had a similar experience this past week?

I am an E-commerce consultant/entrepreneur and use the same Magento system they do. I noticed they have the credit card save feature enabled which I would never do on my sites.

Just beware and please post if this happened to you so we can verify the source of this issue. Thanks!

Just wanted to let everyone know that I have had multiple phone calls from MW today from their customer service team including their customer service manager regarding this issue. They assured me that they do not store credit card information and that even their managers are not able to login and view credit card numbers (same with my business). They take this situation seriously are dedicated to try to identify any potential problems and communicate if/when an issue is identified. I've enjoyed doing business with MW and this kind of thing can happen to anyone. Even our own federal government with all the resources in the world has a hard time 100% securing their systems.

 

[FuzzeWuzze]

Hard to say with any certainty. Info goes back & forth as small packets,& are easily intercepted anywhere along the route they take to get where they're supposed to go. so that makes it hard to blaim midwest or any one entity absolutely.

Easily intercepted, hardly, and they should be using https protocol for their transactions which is heavily encrypted, its the same encryption you use to log into your bank online.

Its unlikely that someone is tapping lines and snooping packets, its more likely if it is on MidWest that someone has compromised their webserver or some other server on their end.

 

[bob1852]

They assured me that they do not store credit card information and that even their managers are not able to login and view credit card numbers (same with my business).

Maybe an employee writing them down on paper?

It's happened before.....

 

[Randar]

Just to add my name to the fray... I also recently ordered from Midwest, credit card processed on June 19. I received a fraud alert call for a large erroneous charge that had to result in my account being cancelled and a new card issued. Of course, I was a couple thousand miles from home, so it wasn't very convenient.

Not necessarily 100% evident that Midwest is the culprit here, but the charge was for a pile of "telecom equipment" from somewhere in California. Co-inky-dink?

 

[vNmd]

For online purchases I have gone to using virtual card numbers...though Citi.

+1 on the virtual numbers. I love them. They are "use once". I tried using a virtual number at two places once. Which ever charge uses the number first works, anything after that gets declined. :rockin:

 

[beersnblues]

I order about once a month from midwest. After reading this thread, I checked and my card has been hacked. 3 charges today. Sears and match.com. Having a tough time explaining the latter to the wife.

 

[midwestsupplies]

Thank you to everyone that has contributed to this thread and contacted us regarding your concerns. At Midwest Supplies we take our customers' data and information security seriously. After thoroughly investigating the concerns in this thread, we do not believe they were related to purchases made at Midwest Supplies. If anything changes we will let you know. If anyone has concerns regarding their order or credit card data, please contact our customer service team at 888-449-2739 or [email protected].

We value the trust our customers place in us every time they order from Midwest Supplies. We take this trust seriously: our website is secure and encrypted, it is scanned daily to guard against any attacks, we are PCI compliant, we maintain cyber insurance, all of our employees must pass criminal background checks, and we do not store credit card information on any of our systems.

As fellow brewers and winemakers, we want to make sure you can focus on making the best possible beer or wine, every time. We will do our best to guard your information and maintain your trust.

Thanks again and Cheers.

 

[ECUmedford]

Maybe an employee writing them down on paper?

It's happened before.....

I have never placed a phone order with them where someone could write them down. I trust websites for secure transactions way more than calling any customer service.

There have been a number of eastern European cyber criminal attacks this year where they quietly compromise a website and record credit card transaction data. Eventually credit card companies are able to trace transactions to find the source of the breach.

 

[kifkroker]

My CC company called me on July 6th with an alert of fraudulent charges to Sears.com for $700 of merchandise that was supposed to ship to Iowa or Idaho (can't remember which they said). I had an order that I placed and also a partial refund from Midwest in June. No idea if it is related to Midwest specifically or not but kinda weird stumbling on this thread with the same timing of fraudulent charges as my card had.

 

[ECUmedford]

My CC company called me on July 6th with an alert of fraudulent charges to Sears.com for $700 of merchandise that was supposed to ship to Iowa or Idaho (can't remember which they said). I had an order that I placed and also a partial refund from Midwest in June. No idea if it is related to Midwest specifically or not but kinda weird stumbling on this thread with the same timing of fraudulent charges as my card had.

One of my charges was to Sears as well. There is no way this is a massive coincidence.

 

[ggriffi]

Question, has the OP contacted Midwest to see if they have had any hacking issues? Before a company is discussed in this way it would be best to talk to them first. I hope the OP did.

A St. Louis supermarket chain Diebergs, recently had this happen to them. A hacker got into their system and stole all of the credit card and bank check information they had. They have 25 locations and a good IT department. No one is immune these days.

That was Schnucks grocery stores not Dierbergs, but you are right, No one is immune these days

 

[cfrazier77]

That was Schnucks grocery stores not Dierbergs, but you are right, No one is immune these days

Your right, my bad. It get the two confused sometimes. Thanks.

 

[DrunkleJon]

This is one of the reasons I have a separate credit card just for online orders. That way it is easier to track. Kudos to Midwest for doing their part and looking into it. I feel for all those who have recently been compromised and hope everything is made right and the jerks responsible are caught.

 

[ECUmedford]

After thoroughly investigating the concerns in this thread, we do not believe they were related to purchases made at Midwest Supplies.

Well I certainly hope that you plan to determine the full scope of the problem. 13 Midwest customers on this thread having the same problem in the same 3-4 day time period and you don't think they are related? Credit card fraud does not happen so frequently that a post on this forum would result in this many people coming forward. To prove that I posted on a couple of my favorite high-traffic non-beer related forums to see how many people had fraudulent credit card charges in the past week. All I heard back was crickets.

A similar event happened a couple of years ago on here with Austin Home Brew Supply:
https://www.homebrewtalk.com/f19/ever-have-credit-card-number-stolen-223663/

They were able to communicate to learn the scope of the problem and alert their customers without admitting fault:

Austin Homebrew Supply has received communication from a very limited number of customers that they recently have had fraudulent charges on their credit or debit card. We are conducting a thorough 3rd party forensic investigation and to date have not uncovered a breach on our end, or identified any network infrastructure or website vulnerabilities. We have changed our merchant service credit card processor because we suspect the source of the problem lies in that direction.

If you placed an order with Austin Homebrew Supply from January 7th through February 6th, please check your credit card or bank statements for any charges that you do not recognize. Call your bank to reverse these charges. As an added precaution, we recommend that you have your bank or credit card company issue you a new card.

Sorry for the inconvenience this may have caused you. We really appreciate your business and support.

Forrest Rogness President Austin Homebrew Supply, LLC

http://www.brews-bros.com/index.php?/topic/39394-important-message-from-austin-homebrew/

Have you contacted your credit card processor? They could be the source of the problem which still means that our issues are related, just not necessarily the fault of Midwest. Visa is pretty clear regarding taking action on suspected or confirmed security breaches.

Members, service providers or merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html#anchor_3

 

[vja3]

Well I certainly hope that you plan to determine the full scope of the problem. 13 Midwest customers on this thread having the same problem in the same 3-4 day time period and you don't think they are related? Credit card fraud does not happen so frequently that a post on this forum would result in this many people coming forward.

+1. At this point, I'm pretty much convinced that my card was stolen as a direct result of my purchase from Midwest Supplies. I'm not necessarily blaming them, but something seems to have gone wrong somewhere in the process.

 

[varaflame]

At what point does this thread turn from a possible alert about Midwest Supplies website security to a witch hunt?
I only ask because there is a so called group of "13" now people that have had an issue. But yet, no proof. Not one ounce. OP has speculated because he and his father happened to shop at the same place. But when was the last time they ordered from there? Have they contacted their card issuer and asked them to run a security check and see where the security breach might have occured?
Midwest has comeback with being within PCI compliance. Let us know they have security scans daily. They even list at the bottom of their page that they have these services. Does OP not believe in these practices since he seems to be the expert? His website doesn't brandish such notifications.
I think at this point, unless evidence comes back from a card issuer stating Midwest is the issue, this thread should be locked. I'm all for open communication, but Midwest has presented evidence that it wasn't them. Unless there is something concrete going forward, this is just going to turn into a defamation thread.

Just my two cents

 

[kh54s10]

At what point does this thread turn from a possible alert about Midwest Supplies website security to a witch hunt?
I only ask because there is a so called group of "13" now people that have had an issue. But yet, no proof. Not one ounce. OP has speculated because he and his father happened to shop at the same place. But when was the last time they ordered from there? Have they contacted their card issuer and asked them to run a security check and see where the security breach might have occured?
Midwest has comeback with being within PCI compliance. Let us know they have security scans daily. They even list at the bottom of their page that they have these services. Does OP not believe in these practices since he seems to be the expert? His website doesn't brandish such notifications.
I think at this point, unless evidence comes back from a card issuer stating Midwest is the issue, this thread should be locked. I'm all for open communication, but Midwest has presented evidence that it wasn't them. Unless there is something concrete going forward, this is just going to turn into a defamation thread.

Just my two cents

If "13" people have issues and Midwest is a common denominator and there is no other you can assume a connection.

No one but you is calling this a "witch hunt" and I don't see anyone accusing Midwest of complicity.

 

[MaxStout]

At what point does this thread turn from a possible alert about Midwest Supplies website security to a witch hunt?
I only ask because there is a so called group of "13" now people that have had an issue. But yet, no proof. Not one ounce. OP has speculated because he and his father happened to shop at the same place. But when was the last time they ordered from there? Have they contacted their card issuer and asked them to run a security check and see where the security breach might have occured?
Midwest has comeback with being within PCI compliance. Let us know they have security scans daily. They even list at the bottom of their page that they have these services. Does OP not believe in these practices since he seems to be the expert? His website doesn't brandish such notifications.
I think at this point, unless evidence comes back from a card issuer stating Midwest is the issue, this thread should be locked. I'm all for open communication, but Midwest has presented evidence that it wasn't them. Unless there is something concrete going forward, this is just going to turn into a defamation thread.

Just my two cents

You claim there has been no proof from the 13. If you are not willing to take the word of 13 HBT members at face value, why would you take Midwest's denial at face value?

If you are going to apply such critical skepticism to the 13, why not apply it to the entity that has the most to lose from this publicity?

 

[ShootsNRoots]

We value the trust our customers place in us every time they order from Midwest Supplies. We take this trust seriously: our website is secure and encrypted, it is scanned daily to guard against any attacks, we are PCI compliant, we maintain cyber insurance, all of our employees must pass criminal background checks, and we do not store credit card information on any of our systems.

I had to replace my card several months ago as a result of fraudulent charges to Walmart.com. This also occurred about the time I had placed an order with Midwest Supplies. When I logged in an found that my Credit Card information had been saved, I immediately clicked to delete it.

Midwest Supplies, your website does have facility to store credit card information. Whether or not it's on your servers is a different matter. When I log into my account and click "Saved Credit Cards" under the Account heading on the left... Guess What?! It brings up my saved credit cards!

The statement you gave is a blanket statement. Cyber security is complex and having a security certificate, running a simple PCI scan or the ever present label "secure and encrypted" doesn't mean much unless it is done properly. I would suggest hiring competent security professionals who can examine web logs and other transaction logs and of course getting in touch with your credit card processor.

 

[DrunkleJon]

Correct me if I am wrong here but let me see if I have this straight.

-This thread was created the intention of letting fellow HBTers know that the OP and his father both had compromised cards and have MW in common.
-The thread tells that it may not be a bad idea if any of us have used MW recently to look at our billing statements (which we should be doing anyways) just in case to make sure that it didn't happen to us as well.
-Other HBTers chimed in to say that they have had some fradulent activity as well.
-MW has stated that they are aware of this and are looking into things on their side, as well as offering up that they strive to be secure.

With all that in mind, lets not bash Midwest Supplies. They have always been fair with me when it comes to prices and service, and seem to be doing their due dilligence.

 

[MaxStout]

Correct me if I am wrong here but let me see if I have this straight.

-This thread was created the intention of letting fellow HBTers know that the OP and his father both had compromised cards and have MW in common.
-The thread tells that it may not be a bad idea if any of us have used MW recently to look at our billing statements (which we should be doing anyways) just in case to make sure that it didn't happen to us as well.
-Other HBTers chimed in to say that they have had some fradulent activity as well.
-MW has stated that they are aware of this and are looking into things on their side, as well as offering up that they strive to be secure.

With all that in mind, lets not bash Midwest Supplies. They have always been fair with me when it comes to prices and service, and seem to be doing their due dilligence.

I don't think anyone here is bashing MW, and yes, they are a good company. But when over a dozen HBT members have experienced some kind of CC breach, and the common denominator is an order with MW, the odds of coincidence are dropping fast. Midwest has an obligation to rectify this, and giving us a pat statement that "it's not on our end" is disingenuous.

 

[ECUmedford]

Does OP not believe in these practices since he seems to be the expert? His website doesn't brandish such notifications.

No reason to have such notifications on our wholesale distribution catalog site that does not accept credit card transactions.

 

[DrunkleJon]

I don't think anyone here is bashing MW, and yes, they are a good company. But when over a dozen HBT members have experienced some kind of CC breach, and the common denominator is an order with MW, the odds of coincidence are dropping fast. Midwest has an obligation to rectify this, and giving us a pat statement that "it's not on our end" is disingenuous.

I am no lawyer, but usually it is in the best interest of businesses to not claim any responsibly, no matter how tenuous until they know for certain they are at fault. I am sure that when their investigation is complete they will update us with whatever reasoning they are legally allowed to disclose. I give them a lot of credit for making the statements they have already. You will not see Wal-Mart or Target, or the like doing even that much.

 

[MaxStout]

I am no lawyer, but usually it is in the best interest of businesses to not claim any responsibly, no matter how tenuous until they know for certain they are at fault. I am sure that when their investigation is complete they will update us with whatever reasoning they are legally allowed to disclose. I give them a lot of credit for making the statements they have already. You will not see Wal-Mart or Target, or the like doing even that much.

I AM a lawyer, and while, at first glance, that might sound like a great idea, giving a general denial in this instance doesn't really help their case. It would be a better strategy to not draw any conclusion at this time, and simply state something to the effect of "an investigation is still ongoing" (which it should be). You can be honest without admitting culpability.

From a marketing standpoint, making a statement tantamount to "nothing's wrong here" can backfire if and when it is later determined that there was indeed a breach. Even if said breach was the fault of others (hackers), it still happened on MW's watch, and some people will associate MW with that problem and be hesitant to do business via CC.

 

[midwestsupplies]

We wanted to provide you an update on our on-going investigation into the credit card security matters raised in this Forum.

As part of our investigation, we have involved a number of third-party specialists in web server management, website applications management, website security and credit card processing. Each of these parties, in coordination with the others, has undertaken to assess how and when credit card data could have been compromised.

One of the complicating factors to the investigation is that we store no credit card data. All credit card information is transmitted securely to the credit card processors at the time of the transaction; no credit card information is retained.

A second complicating factor is that the credit cards in question were last used for a Midwest Supplies purchase during a wide ranging period, weeks to months before the fraudulent activity took place.

At this point, none of the third-parties nor our own team have identified how or when credit card data could have been compromised.

We take data security very seriously and are working to complete our investigation as soon as possible.

If anyone has concerns regarding their order or credit card data, please contact me directly at [email protected] or 952-562-5354.

Thanks again and Cheers.
Todd Jackson
Customer Service Manager
Midwest Supplies

 

[ShootsNRoots]

One of the complicating factors to the investigation is that we store no credit card data. All credit card information is transmitted securely to the credit card processors at the time of the transaction; no credit card information is retained.

Credit card numbers are stored somewhere. Either on your servers or your cc processor servers. It would be best, by default to not retain cc information. If it's done automatically when someone orders that isn't cool. I didn't see an option to disable this retention, instead they must be deleted manually.

 

[unionrdr]

I've delt with Todd before. He will def bends over backwards to help in any out of the usual situation. As I stated earlier,info is sent back & forth as packets of information,which hackers have learned to intercept,alter/add on to & send back on it's way. As I've been told & have found out from local police,there is software they can use to track the hacker to a particular comp in a particular room a a house or other structure. I've seen it. Maybe that is an avenue to persue? Make the software automatic where it tracks info to be sure it's only through midwest & you,from their end.

 

[varaflame]

I don't think anyone here is bashing MW, and yes, they are a good company. But when over a dozen HBT members have experienced some kind of CC breach, and the common denominator is an order with MW, the odds of coincidence are dropping fast. Midwest has an obligation to rectify this, and giving us a pat statement that "it's not on our end" is disingenuous.

Of course the common denominator here is Midwest. You are at a Home Brew forum. (Insulting comment edited out by moderator - Pappers_) did you ever stop to think you also have this site in common. As well as quite a few others I'm guessing. Not to mention fast food restaurants.

I guess what I am getting at is, I don't believe the common denominator has been found. You're close, and it was great to get everyone rallied together, but I'm not sure you've found it.

 

[vnzjunk]

Kudos to the original poster for the heads up to the community in this serious matter.

Many of the resulting posts are at best conjecture and a few to one extent or another could harm the reputation of a respected member of the homebrew supply industry. Tread carefully here. An apology post by someone making an early incorrect conclusion does not make any damage done to ones reputation go away after the 'true facts' are uncovered. I think the 'it happened to me too' posts are fine as it shows a pattern for 'experts' who mite be able to use that info in their investigations. Beyond that not a whole lot of good is to be gained by piling on and making wild assumptions.

Just my 2 cents worth. I don't have a pony in the race.

 

[cfonnes]

varaflame, it is interesting that you have posted twice on this site. Both of them defending Midwest.