😱 clearly a case of stolen card details or a error have you contacted the card issuer too?

 

Thank you for your response.
The Electroverse account isn’t attached directly to my bank account or bank card. I’ve cancelled the Electroverse RFID card just in case it is something to do with this.

Best Wishes,
Arran

 

@Arran

I'd delete the card off the app after screenshotting the card number. That way they shouldn't be able to keep using it but you also have a record of the card associated with your account.

 

It sounds like your card has been cloned, doesn't it? Or I wonder if someone hacked your account and authorised another card.

 

Perhaps the sheer number of charges if plentiful will go in your favour as clearly it would be impossible to fill up more than 2 or 3 times in a day and the time differences would need to allow for the battery to be drained.

Good luck, phone them first thing Monday but also collate as much detail as you can now and email it across so they can gawp at it as you speak.

Gaz

 

Within 1.5 hours the account was charged for almost 150kWh, Electrovers should have some monitoring system about excessive usage. It should be like a CC. If there is "unusual" activity, the bank just block the transactions.
I hope you get it sorted. However, your first port of call should be the bank associated with your CC/DC or account as @Parkwood mentioned above.

 

Electroverse have come back to me!

They have deactivated my account and reactivated to end any app sessions.

it seems these fraudsters gained my password and were logging in to the app. I had changed the password but existing sessions aren’t dropped.

All the charges will be credited. I have asked if MFA is something that is available or will be soon as that extra bit of security would make all the difference.

Thank you all for your replies and support.

 

it seems these fraudsters gained my password and were logging in to the app. I had changed the password but existing sessions aren’t dropped.

It did sound like your account had been hacked - too bad they don’t enable 2FA for security. Their loss. Literally.

 

Good to hear that they acted right away. This is just one more example why all the chargers providers should adopt "plug and charge" approach. Tesla have that and Fastned offer the service as well. With Fastned you set the car up when you are at a charger (follow the prompts in the app) and after that you don't need anything. Just drive to the charger, plug the car and the software do the rest. The system recognise your car and you are good to go. No apps, no swiping or tapping cards, nothing.

 

Fastned don't offer Plug & Charge, they do "Autocharge" instead.

Plug & Charge (which I think only Ionity support in the UK so far?) uses cryptographic certificates, so is pretty secure. To clone a car, an attacker would need to get hold of the car's private key, which should only ever be known to the car itself (if properly designed, it should not be possible to extract the key from the car)

Autocharge just works by Fastned keeping a database linking each car's MAC address to a payment method. The MAC doesn't change* and is visible to every single charger you ever plug into. It is absolutely trivial for someone to clone a MAC - there's no way I would sign up to a payment technology as insecure as Autocharge.

(*) Since a fixed MAC could be considered to be personal data, and could be used to track your whereabouts, some cars randomise the MAC each time you plug in. Whilst that solves the tracking problem, it does make those cars fundamentally incompatible with Autocharge. I believe anything using VAG's MEB platform uses randomised MAC addresses. I would have thought the plug & charge certificates could be used for unauthorised tracking too, but at least that is an optional system that you can just avoid using if you are concerned.

 

Ohhh.... I wonder if this is a data leak somewhere. Do you have the same passwords on several accounts?

 

I wonder how secure the RFID cards are. Scanning the cards would be pretty easy using an "RFID scanner" device (these can work at several metre distances so could be done by anyone nearby you). Once the card is 'cloned' it could be sold to unscrupulous fleet operators and so on looking to save a buck. Virtually untraceable - most chargers don't have CCTV or ANPR.

I raise a similar concern over the absurdly simple implementation of Plug 'n' Charge by Fastned, which relies -only- on the MAC address of the car to authenticate charging. This number does not change, and can be copied by anyone who has access to a public charger's internal data logs (engineers, for instance).

 

Great that it’s resolved. I guess one downside of Electroverse linked to an octopus account is you don’t have the chargeback protection you would have with a credit card. I got billed by accident for the next charger over whilst I was in Norway, the charge point provider was taking weeks and the credit card company sorted it in half an hour.

 

Does anyone decide on the number space for these sets of RFID cards? My concern was always with multiple networks having cards that one would end up using the same number range as another...

 

That isn’t a concern. Credit cards only have 16 digits, for 10,000,000,000,000,000 combinations (10^16). My Electroverse card has 13 characters, including letters and numbers, giving 170,581,728,179,579,208,256 combinations (36^13) - several orders of magnitude more than credit cards.

The OP has said the account password was compromised - and now it’s time to repeat the advice I always give. Use a password manager, and let it generate complex passwords that you’ll never remember, using letters, numbers, and symbols - not based on dictionary words, so brute force attacks will take years instead of milliseconds to break (at least until such time as quantum computers running Shor’s algorithm become available) https://en.m.wikipedia.org/wiki/Shor's_algorithm

I like BitWarden, as it has free cross-platform syncing, and runs well on all the platforms I use (iOS, Android, Windows, Linux). They make money by offering premium and business services, using the free personal option as a loss leader. Most of the others either charge for syncing, or allow you to do it yourself, which some will be happy to do, but is a bit too difficult for most.
Best Password Manager for Business, Enterprise & Personal | Bitwarden

 

OP, it will be a good idea to check all your online presence with associated passwords. If it wasn't Electroverse that was hacked or your Octopus account data leaked, then it is possible that this was compromised on your end, including other personal data.

 

That is worrying to read.

Having multiple accounts and RFIDs to allow charging does open us up more to hacking and fraud.

 

Sounds like this was "hacked" using the app, but as pointed out the RFID card method is also very easy to clone (easier than cloning a MAC address on a vehicle to hack Auto charge).

If you get an RFID scanner app on your phone and tap your card you'll see a "UID" which is a string of hex bytes.

All that happens is the reader in the charger reads these, then transmits them to the OCPP back office controlling the charger. It checks if that ID is "whitelisted" and authorises the charge if so.

So, if you create a device (can probably simulate it using a phone) to show the same UID then you can effectively clone the card.

There are millions/billions of potential IDs but I don't know if there is any system to check duplicates or if different chip manufacturers use different ranges.

 

A bank can quickly work out your card payments are fraudulent when they are used if different places too close in time.

Some of those charges will have been running simultaneously at different locations and charging the car fully. That should be flagged up by Electroverse.

It must be more than one person with access to your details. It can't be one criminal with access to your data, access to a number of EVs, and willing to commit such a crime.

I wonder if the cars have been filmed at the charging stations and with their genuine registration plates?

 

I think that, technically, contactless cards are all RFID, aren't they? I remember watching a Youtube video some time ago where someone dissolved away the plastic and reverse engineered a contactless debit or credit card. There was a very thin coil around the card that both provided the power for the chip and worked as the bidirectional data interface, which is how RFID cards work, except they are unidirectional I think. The protocol on a contactless debit or credit card is going to be bidirectional and far more secure but I think it's perhaps technically correct to refer to them as RFID, in the sense that they use RF to energise the card and transmit and receive data and that data includes identification of the card and owner.

 

I think a bank card is just like a RFID card.

However, I get a notification on my phone from my banking app every time I use my card. It also requires me to enter my pin number after making a few transactions, or at an unusual location.

My bank card wouldn't allow me to make all those transactions before asking for my pin number.

Electroverse doesn't notify me that I've started a charge with my RFID card. I can see a charge is active, but only if I go into the app.

 

I think a bank card is just like a RFID card.

Technically, a contactless payment bank card is a NFC card, that might respond as RFID, but it's far more than that.
In fact, a lot of bank cards will change the presented RFID value each time they're powered up, so they can't be used by simple RFID systems.
It has its own processor, that when booted up (powered by the NFC antenna loop or the smart card contact pads), it will perform all manner of cryptographic stuff, even so far as running their own apps in their own microprocessor, and can do some fancy challenge-response with the payment terminal.
A mifare classic NFC card is ALSO an RFID card, but can store data on the card itself, lightly encrypted (doesn't take too much effort to clone).
A mifare desfire NFC card is ALSO an RFID card, but can store data with a bit more fancy encryption that is harder to clone.
I'm fairly sure that the Octopus Electroverse RFID cards are the more modern desfire cards, which allows the issuer to encode something more than just a RFID value onto the card and for it to be more securely validated by chargepoints that support that.

my background: I used to build RFID access systems.

 

Very roughly, a smart card can prove it's the owner of its UID. It uses the UID as the public key of a public-private key pair, so it can decode a block of data which has been encoded (scrambled) by the UID. (This only works because it has 2-way communication.) To check that it's genuine, roughly this happens.

1. The car charger sends out the pulse to power the card and asks it for its UID. The card sends that.
2. The charger chooses a random number out of a very large range, and encodes it using the UID. It sends the encoded result to the card as a challenge. It doesn't reveal the random number directly, not never no how.
3. The card decodes the challenge message. It is the only device in the whole world which can do that, because it's the only place the private key has ever been stored. It sends the reply back to the charger.
4. The charger checks that reply against the random number it's saved but kept secret. If they match, it knows the card is the true owner of the UID it claimed to have in step 1. If not, there's something wrong, possibly the card's a fake, and verification fails.

All that means that copying the card's UID doesn't get you anywhere -- unless you can crack the public-private key system used. Since modern banking depends on a similar algorithm, there's a lot of work gone into designing and testing that, and it ought to be difficult, as in, might take millenia to break the code with our best computers.

Don't try to build your own card verifier using this description -- I've not tested it; it's an illustration or explanation, not a technical specification. There are subtleties and complexities in making it reliable which I've definitely not understood or have not remembered or deliberately missed out!

 

All very well, but if they obtained his account password, the surely all betts are off?

 

Yep shows the tea leaves are diversifying from straight up CC and banking fraud and now rapidly moving through the remaining “low hanging fruit” such as EV charging where the idiot operators don’t employ basic security hygiene like 2FA.

There’s just so many bad actors out there, you hear about and read it on a daily basis. It’s not like it a rarity. Jesus hello M&S!!

This sort of nonsense should be a wake up call to corporate fools like OE / Electroverse.

 

There’s just so many bad actors out there, you hear about and read it on a daily basis. It’s not like it a rarity. Jesus hello M&S!!

They still not up and fully running....it is beyond belief, it has been almost 2 months since the attack on the servers....

 

Have you contacted the police?? Clearly if you are monitoring when a charge starts then you can direct plod to that location. Plod love a 'caught in the act' collar and as such may be able to find the other 'associates'

 

…and what’s more staggering is that there are clearly EV drivers (whom we’d assume as “one of us”) are decent folk - clearly there’s an abundance of scummy thieving shitbags that drive EVs - as do anything else.

 

I discovered this morning that I too have had fraudulent charges put onto my Electroverse account overnight. They were in Essex and north east London, I live in Surrey and certainly wasn't charging my car at 1am and 3am!
I am now trying to contact Electroverse but them not having a phone number is really frustrating!
I only realised that something was wrong because there were 5 emails this morning from Electroverse with a link to sign in.

 

I wonder if someone pushed unfinished test code as the final build? Maybe someone has figured out they do very few checks on their server end (maybe none at all)? Won't be the first time.

Everyone who has these cards should check their accounts. Some kid is probably selling cloned cards on the darknet.

For all we know the card could be totally unprotected and just reads the ID and assumes if you have that card it's good to go.

 

Do the people with dubious activity on their electroverse account, have a M&S account and use the same login details?

Just wondering if the M&S info is being tried on elsewhere?

 

Quite possible. One of my cards was compromised a couple of weeks ago. Luckily the bank detected it, most probably because a few minutes before the dodgy transaction I'd paid for a service for the car with it. The bank called me to ask if I'd just tried to use the card in London, as I was driving back from the garage in Salisbury.

The only thing I can think of is that it might have been related to using that card online with M&S a fair bit around Christmas.

 

There's been loads of big compromises lately.

This is why you never re-use passwords.

 

The scale of how bad the corporate hacking and extortion is. Doesn’t really hit the British mainstream press…except in cases like M&S

https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extorts-global-orgs-hr-tool

 

I've also just woken up this morning to £182.33 coming out of my Octopus account from Electroverse. Barely use Public charging but after getting back into my Electroverse account, it seems 5 separate charges were made within 24 hours hundreds of miles from where i live. Trying to get help now.