Midwest Supplies

[Bobby_M]

I had already seen this thread before I placed my order there. I figured they already got their issues sorted out, in addition to my opinion that it's probably happening to a very small portion of their customers even if it is still a problem. The very day the midwest charge hits my ledger, the fraud charges started. That's not proof and I don't claim it to be. I would consider it coincidence if this didn't happen to anyone else. Right now I think it's somewhere between coincidence and probable that it's a midwest breach.

 

[LovesIPA]

I'd venture to say that the server itself was compromised, since that is the only place that the encrypted data could be read.

I don't think anything could be further from the truth.

 

[Larzean]

I don't know much of anything about security or fraud, but if its not MW that is compromised it sounds like somebody associated with them is - their processor company or whoever else gets the info after the fact. The $1 charges seem like a test "does this info work?" And once it's confirmed they go nuts. Just an observation!

 

[NervousDad]

I don't think anything could be further from the truth.

And why would you say that? You don't think a server can be compromised? It's a lot easier to crack a password weak password then to crack encrypted data. And if they got a hold of the data they still have to have some setup to get between the user and the hosted server. If it's multiple people it's not at the ISP level it would be on the hosting side...

 

[Soup4you2]

I don't know much of anything about security or fraud, but if its not MW that is compromised it sounds like somebody associated with them is - their processor company or whoever else gets the info after the fact. The $1 charges seem like a test "does this info work?" And once it's confirmed they go nuts. Just an observation!

I seriously doubt that.. Here the weakest link is the midwest webserver. I doubt that the backend processing system is compromised since it's from a well trusted financial institution. Midwest uses a token based system so CC numbers may not be stored in their database, however there is a very strong chance that it's their web server which sends the information to the token system, thus a person would just need to be doing a M-I-M (man in the middle) attack between the webserver and the token server to snag the CC numbers in clear text.

Just taking 5 minutes out of my day to look at their website I discovered that their forums are running an older version which has known SQL injection flaws. So they do have unpatched software, which the unpatched version they have had an update available for over a year now.. Lord only knows what else hasn't been updated or maintained..

A server thats not properly configured or maintained is pretty easy to gain shell access on. Just find a blind SQL injection hole, and run a system command from the DB to have the server call out and create a reverse shell using netcat or some other tool.. but thats just 1 method, there are millions of other ways to accomplish gaining shell on the web server..

Now I also feel Midwest are not doing their best. Here in the beginning of this thread they responded saying that they are now aware and looking into it. 4 hours later they said it's not them. I really think 4 hours is not even close to enough time to perform a full investigation. What did they do to come to this conclusion? What protections do they have? (IPS. WAF, DLP, etc..)? Did they audit the web server logs going back at least 3-4 months? judging from the amount of orders they get i'm sure they are at least a level 2 PCI merchant so they better be taking PCI and these complaints seriously. Not just saying in a few hours, "nope not us" then ignoring the thread. Judging that they have old vulnerable code, they did not take this seriously.

 

[Shakybones]

If you haven't read the entire thread and the people's stories about their individual cases of fraud, why are you the loudest voice to say that it's mere coincidence? Nobody has claimed that they have proven that its Midwest nor has anyone said that they want something in return for the company. Not many have said that they will never shop there again. Some have even said they will continue to shop at Midwest. But the fact that all the fraud has happened in the same two one week windows and all with similar charges and all on cards that have been stored on Midwest account profiles (while the cards not stored there are fine) makes it too much for coincidence. Read these people's posts before dismissing them as coincidence.

Your sarcasm meter is broken.

I was (fairly obviously) satirizing the above post that reads, "Has anyone totaled up the number of people on this thread with fraudulent charges possibly connected in someway to Midwest Supplies transactions? I would love to know the number of people whose cards were comprimised, but dont have the time to go back through all the pages. Perhaps we should start keeping count."

I have read every post, including yours. I'm still not convinced.

By the way, two posts above yours is someone that wants something in return from Midwest.

 

[Shakybones]

Here the weakest link is the midwest webserver.

Out of curiosity, if you are correct...wouldn't that mean that they would be able to steal CC info of every purchaser, not just the ones who store their info?

Thanks in advance for your insight.

 

[the_trout]

By the way, two posts above yours is someone that wants something in return from Midwest.

Hey Shaky, I think you're referring to me so I just wanted to clarify my position. I don't want anything from Midwest (I've not been the victim of any fraud) but I do think they would be smart to more proactive about the negative perception being spread by these incidents. I think its debatable as to whether there is some type of wide spread fraud and Midwest's culpability there in. However, I think its undeniable that this is a PR hit regardless and I think they could do a better job to try and mitigate the damage.

 

[Shakybones]

Hey Shaky, I think you're referring to me so I just wanted to clarify my position. I don't want anything from Midwest (I've not been the victim of any fraud) but I do think they would be smart to more proactive about the negative perception being spread by these incidents. I think its debatable as to whether there is some type of wide spread fraud and Midwest's culpability there in. However, I think its undeniable that this is a PR hit regardless and I think they could do a better job to try and mitigate the damage.

I agree with you on damage mitigation, but I think many of the true believers would see any goodwill gesture from MW as an admission of guilt.

I have written to MW to ask them to please be more forthcoming about their investigation. Their response was that "Our last post still holds true, and we don't want to beat a dead horse with repeat information."

Oh, and sorry for misrepresenting your position.

 

[Dr_Beersgood_Quaffenstein]

Out of curiosity, if you are correct...wouldn't that mean that they would be able to steal CC info of every purchaser, not just the ones who store their info?

Thanks in advance for your insight.

I always elected to checkout as a guest when ordering from Midwest Supplies and I received fraudulent charges. Which makes me one of the ones potentially comprimised without choosing to store my credit card information under a user account on their website. I have no intention to stop ordering from Midwest and just see these incidences of fraud as one of the costs/headaches of using a credit card.

 

[joshareed]

I had fraudulent charges on my debit card with similar patterns--Walmart.com, Sears.com, Gamestop, gaming websites--during the same time period. I have never shopped online with Midwest. So that's another data point.

Hopefully it isn't them but I don't think "we all shopped at Midwest" is as statistically significant here (a forum of homebrewers and a major homebrew supply shop) as it would be on a more heterogenous forum. But that's just me. YMMV.

 

[lgilmore]

My recent order from Midwest took about two weeks from order till delivery. My recent order from Austin took about two weeks from order till delivery. Never had any real problems with either vendor and consider them to be first class. I know both offer express delivery for those who need things quickly, but it costs more. I prefer to just figure a couple weeks as it gives me product for the lowest possible shipping costs.

 

[Shakybones]

My last 50# sack of 2-row took 8 days to arrive. It's the first time I've received a 50# sack that was completely contained in its box. I think it has more to do with UPS going all [ame="http://www.youtube.com/watch?v=8C-e96m4730"]American Tourister Gorilla[/ame] on the box than it does with Midwest's packaging.

Again, I am pleased with their prices, service, delivery, and product quality. Also, still no credit card fraud to report. nestar:nestar:nestar:nestar:nestar:

 

[joshareed]

As for damage mitigation, I do agree that Midwest could do a better job communicating, even if it is just to say: "Hey, we're still monitoring our systems. We still have not found any security issues." It's definitely bad PR for them.

But as a forum, we also have to be careful. Sharing experiences is one thing, but until there is proof or an admission of guilt, any talk about discounts, goodwill gestures, etc. from Midwest is a really bad thing for the HomeBrewTalk community. It tells Midwest (and all online retailers): "Hey, we don't care whether this is true or not, we just want you to give us something because there's a lot of us." There's a word for that, it's called 'extortion'.

If Midwest caves before something is proven, it sets a precedent for all online homebrew retailers. It also means there's nothing stopping a thread like this popping up each month targeting a different online retailer in hopes that the bad PR will elicit a discount out of them.

So by all means continue to share your fraud stories if you have something to add, just be aware of where you take the discussion and how it reflects on the forum. I want to be proud to share the fact that I'm a HBT member when I shop at homebrew retailers, both online and in person.

 

[Pappers_]

This horse has been beat to death, I think, in the past 22 pages. I'm closing the thread and moving it to the company review forums.

 

[Face Eater]

Well my last order took almost a month from start to finish with Midwest.

Placed order
10 days go by and still shows pending
Called Midwest and was told there were backordered items and the order should ship out in a few days.
Called a week later and the order was in the grain room and there was nothing they could do to speed it up at this point.
A few more days go by so I called again and this time they re entered the order and shipped out when they said they would the next day.
Only thing was the order was missing stuff.
Called back and they shipped out the missing burner.

Overall that transaction finally came through in the end but shouldn't have taken that long.

Would I give them another shot? Not sure after I had a random charge for 600 dollars on my credit card a month later and seems like that was the trend with Midwest orders lately. The overly long order and frustration of the Midwest order them turned into frustration of dealing with American express. Had to issue me a new card and now I get the joys of making sure all my auto payments to that card get changed over. Do we know for sure if it was a Midwest issue? I don't know but definitely strange that it seems like the people with the fraud ordered from Midwest in and around the same time.

 

[Chef-Ryan]

Hello guys and gals, Anyone from canada order from this company? Any comments concerns regarding ordering stuff over the boarder (not ingredients but more so bottles and equipment)?

 

[JoppaFarms]

My last order shipped in 2 days and arrived 3 days later. Looks like they are getting back in their game. I'll continue to order from them. When I've had problems with ingredients they have always been helpful.

 

[JDGator]

Hello guys and gals, Anyone from canada order from this company? Any comments concerns regarding ordering stuff over the boarder (not ingredients but more so bottles and equipment)?

last time i checked they wouldn't ship to us in Canada. but that very well could have changed.

 

[Chef-Ryan]

Fair Enough .. I didnt even dig that far into it...

 

[MaxStout]

I stopped by to pick up some supplies a few weeks ago. When I got home, I discovered that one of the items, a 2 micron ss aeration stone, was clogged. I had tested it out with some O2 in water, and nothing came out. I also suspect the stone was 0.5 micron, as the pores appeared much finer. The little baggie it was in didn't specify, though the store clerk insisted it was 2 micron.

So I called the store, and the girl who answered said "bring it back and we'll give you a refund or store credit." I told her I live 25 miles away, and only get over to that side of town once in a while. She had me give her my email address, and promptly sent me a store credit for the full amount. She even said not to worry about returning the bad one.

I ended up buying the stone elsewhere (online), as I needed a new one soon. But Midwest's handling of the situation was awesome, and store credit is as good as cash to me, as I'll bring it next time I go in for supplies.

 

[swackattack]

Just ordered a keg glove from them that I badly needed asap. I intended to order from another vendor but the other vendor was out of stock so I ordered from midwest.

While the item was a few bucks cheaper, the shipping quote from midwest was nearly 3x higher. I got the item in the required time so no complaints there but I feel like midwest could do a better job bringing there prices on shipping down. I knwo for a fact I could ship the item cheaper as a consumer.

 

[bmeulebroeck]

I stopped by to pick up some supplies a few weeks ago. When I got home, I discovered that one of the items, a 2 micron ss aeration stone, was clogged. I had tested it out with some O2 in water, and nothing came out. I also suspect the stone was 0.5 micron, as the pores appeared much finer. The little baggie it was in didn't specify, though the store clerk insisted it was 2 micron.

So I called the store, and the girl who answered said "bring it back and we'll give you a refund or store credit." I told her I live 25 miles away, and only get over to that side of town once in a while. She had me give her my email address, and promptly sent me a store credit for the full amount. She even said not to worry about returning the bad one.

I ended up buying the stone elsewhere (online), as I needed a new one soon. But Midwest's handling of the situation was awesome, and store credit is as good as cash to me, as I'll bring it next time I go in for supplies.

Thanks for letting us know! We've gone through the bins to ensure all stones are properly labeled. Glad we got you taken care of; it is meant to be a fun hobby, not a frustrating one.

 

[manofleisure]

Just want to let others who are local to the Twin Cities that Midwest no longer offers the option to order online and then pickup in store.

I tried to check out with that option online and it wouldn't let me. So I got in touch with their customer service department and they replied that they discontinued in-store pickup of online orders since their shipping facility is in a new location. (I don't know when the change happened so my apologies if this isn't news to anyone.)

Looks like I'll be letting my reward points balance expire. My orders lately are small and cost of shipping is greater than the rewards value so there's no point in ordering online just to get reward points.

Online ordering was a great way to check if something was in stock before buying. I guess I'll try stopping by their store and hope they have the ingredients I need.

 

[midwestsupplies]

Just want to let others who are local to the Twin Cities that Midwest no longer offers the option to order online and then pickup in store.

I tried to check out with that option online and it wouldn't let me. So I got in touch with their customer service department and they replied that they discontinued in-store pickup of online orders since their shipping facility is in a new location. (I don't know when the change happened so my apologies if this isn't news to anyone.)

Looks like I'll be letting my reward points balance expire. My orders lately are small and cost of shipping is greater than the rewards value so there's no point in ordering online just to get reward points.

Online ordering was a great way to check if something was in stock before buying. I guess I'll try stopping by their store and hope they have the ingredients I need.

We are still able to give you rewards points at the register. Please ask the next time you are in, and we will set you up.

 

[bmeulebroeck]

We are still able to give you rewards points at the register. Please ask the next time you are in, and we will set you up.

You can also call the store any time to check stock status on items, or place an order for pickup. Use extension 192 to connect directly to the retail front counter.

Thanks!
Brent

 

[manofleisure]

You can also call the store any time to check stock status on items, or place an order for pickup. Use extension 192 to connect directly to the retail front counter.

Thanks!
Brent

That's very helpful. Thanks a bunch!

 

[thatjonguy]

Having my brother pick up 150 pounds of malt this weekend to bring back to ND. Hope it all goes well, first time phone order to the retail store.

Anyone know if you can you use an online giftcard in store?

 

[brew_ed]

I placed a large order (~$200) back in March and my order sat in their queue for 3 days before I started emailing and asking questions. They took forever to answer my emails and they would not upgrade my shipping even after I explained to them that I had hoped to have my order before the weekend. I cancelled the order and ordered from someone else.

This week I thought I would try them out again. I placed a small hardware order on Tuesday, Friday the order still has not shipped. They claim to be experiencing a large volume of orders.

Very slow. Full of excuses. Apparently under-staffed. Will not be buying from them again.

 

[bmeulebroeck]

Having my brother pick up 150 pounds of malt this weekend to bring back to ND. Hope it all goes well, first time phone order to the retail store.

Anyone know if you can you use an online giftcard in store?

Yes you can. We just need the code that was emailed to you and we can make it happen.

 

[brew_ed]

I placed a large order (~$200) back in March and my order sat in their queue for 3 days before I started emailing and asking questions. They took forever to answer my emails and they would not upgrade my shipping even after I explained to them that I had hoped to have my order before the weekend. I cancelled the order and ordered from someone else.

This week I thought I would try them out again. I placed a small hardware order on Tuesday, Friday the order still has not shipped. They claim to be experiencing a large volume of orders.

Very slow. Full of excuses. Apparently under-staffed. Will not be buying from them again.

To be completely fair to Midwest Supplies, I emailed them with my concerns and they offered their apologies as well as a gift towards a future purchase. I would say that is high marks in the customer service department, for sure.

 

[swackattack]

As an update to my review. Upon examination one of the items I purchased was defective. MWS shipped out a new one next day without question. Highly recommended.

 

[thatjonguy]

Yes you can. We just need the code that was emailed to you and we can make it happen.

Thanks! Turns out I already burned the gift card on another purchase but Kristin was awesome during the pickup and over the phone payment processing.

 

[dgrums]

Speculation by Midwest Supplies customers was discussed in a now closed thread about the possibility that the Midwest Supplies website was hacked and many customers had fraudulent charges against their account (myself included). Turns out, their website was hacked on 6/13 and was discovered on 7/19. The report says that customers should expect a letter with a $25 coupon. I've always had good experiences with Midwest and will continue to shop from them (I'll just use PayPal from now on). Guess it wasn't just coincidence though.

 

[passedpawn]

Midwest acknowledges credit card security issue.

https://www.homebrewtalk.com/f14/important-statement-midwest-supplies-429909/

 

[FuzzeWuzze]

Never done business.

Now will NEVER do business.

 

[Hammy71]

Never done business.

Now will NEVER do business.

Unfortunately this kind of stuff seems to happen to every business once in a while. Sometimes its a software problem, or a rouge employee. So, not sure how your comment will protect you. But, at least they fessed up. Most companies do not acknowledged mistakes or errors. Not sure I've ever purchased from them, but there are several on line shops, that people frequent on this site, that have had the same problems. As far as using Paypal, they brag they are secure.....but I got burned even when I used them about 2 years ago. So, try to use a credit card and not your bank card when doing transactions on line. Both should be protected against fraud, but at least your account won't be raided and bills go unpaid while you wait to be refunded. Nothing worse than a thief, weather they've invaded your home or your wallet. This is why the repression of our gun rights are so important. Police aren't a deterent, but a homeowner with a loaded gun is. Sorry for the political rant.

 

[FatDragon]

This is why the repression of our gun rights are so important. Police aren't a deterent, but a homeowner with a loaded gun is. Sorry for the political rant.

A website was hacked. What's that got to do with guns?

 

[thatjonguy]

Got my bags of malt today after my brother picked it up at the store and drove it 9 hours back to ND. The crush includes at least 50% whole grains.

Waiting on a response from Midwest, guess I won't be brewing this week.

 

[mikescooling]

I've never seen a crush like that, it's almost if they mixed uncrushed and crushed? Crazy