EVGO Warning - insecure service

[Zoidz]

EVGo says they have protection against "impossible charges" where if one is initiated somewhere you couldn't possibly drive to in time, then it flags it. Of course I have never heard of this being demonstrated.

Devices like Keysight's SL1556A do exist, and I believe it's possible to use an inductive coupler over the entire cable to sniff the data due to the way PLC works.

I'm not sure how they could they reliably accomplish that "drive to in time" feature? I can see that working if there was a transaction in Pennsylvania and then 20 minutes later one in Colorado. But if someone is collecting multiple MACS and using them once a week at the same or nearby chargers within 20 - 50 miles, I think the odds are pretty good it might go undetected. Oh snap, AI will certainly solve that problem, lol. AI is the solution to everything, right?

Sponsored

 

[connoisseurr]

Didn't know DCFCs are based on AI and had emotions... you know, being insecure about how unsecure they are...

Title needs to be updated: unsecure, not insecure.

 

[Electrified Outdoors]

Man that's not good! Hopefully they are refunding you. Sounds like you may need to close that account and open a new one.

I wonder if it would be better to use a virtual credit card instead of your real card number? VCC are nice because you can set limits and turn them off and on easily to prevent fraudulent charges.

 

[Christopher]

I'm not tracking how this relates to being a vulnerability or not PCI compliant.

Sure there may be a bug with the EVgo app but somebody calling this a vulnerability??

 

[Oldsmobile_Mike]

Ah. The EVgo employee has arrived. My post is only to warn users of the risks. Blaming the users for your insecure service is a bad look.

I was going to say the same thing after reading their first couple sentences. What a shill. ?

 

[Zoidz]

Didn't know DCFCs are based on AI and had emotions... you know, being insecure about how unsecure they are...

Title needs to be updated: unsecure, not insecure.

Sorry, I could not resist this one...

 

[shandel]

I had a similarly strange experience with an EA charger in South Lake Tahoe this weekend. I pulled up to the 350kwh charger and tried to get set up for charging. The charger said initiating charge but never started. Another Rivian pulled into the other 350kwh charger and got plugged in. I tried unplugging and plugging in and initiating the charge again. It's didn't work. In the meantime, his did start charging. I moved my Rivian over to the 150kwh charger next to his and tried to get set up there. I then noticed the screen where he was charging said "Hi, [my name]". I looked in my app and it said I was charging. I stopped the charge from my app and his Rivian stopped charging.

So, there is either something very screwed up at that local EA charger where the terminals are somehow miswired or they have some other bigger issue. Either way, there is a similar problem to what is described here with evGo.

 

[prestapost]

Ah. The EVgo employee has arrived. My post is only to warn users of the risks. Blaming the users for your insecure service is a bad look.

Honestly, if we are wondering who is the shill… one of you has started 25 threads and posted 4500 times. The other has one thread. Maybe you work for an EVgo competitor?!?

 

[Zoidz]

I'm not tracking how this relates to being a vulnerability or not PCI compliant.

Sure there may be a bug with the EVgo app but somebody calling this a vulnerability??

I had similar experiences with their support and the fact that the “backoffice” had to fix things, but I’ve yet to hear about it. I was scouting an EVGO charger *on their website* that was 100s of miles away for an upcoming roadtrip and noticed it said “autocharge, learn more”. I clicked that and it immediately said “plug in your vehicle to activate autocharge” with no way to cancel out of it. Well…as you can guess, someone plugged in during that time and their car got paired to my account. I’ve spent a collective total of two hours on the phone with their crappy support trying to get the car unpaired (which still isn’t done) and their charges refunded. This should **never** be allowed to happen. It’s poorly designed.

I guess it could be argued it's not a vulnerability per se, but IMO it is subject to PCI scrutiny because they allow the association of an unknown/unverified network device with the user account data. Some sort of MFA would prevent this.

 

[HaveBlue]

Always good to have a separate throw away cc that you don't mind cancelling since there is no way to control how a third party will handle the info.

 

[Throwdown]

I would only use them in general if there were no others, they are the priciest stations I've ever been to. Last one I was at was .50 per kwh with a $9.99 session fee, no thanks

 

[UnsungZero_OldTimeAdMan]

I would only use them in general if there were no others, they are the priciest stations I've ever been to. Last one I was at was .50 per kwh with a $9.99 session fee, no thanks

Can't believe I'm saying this... they make EA look good.

 

[RivianMatt]

As someone who will have his very first EV (an R1S) hopefully within two weeks, so I don't have any experience with the charging network yet. But relative to the security of credit card numbers, I would hope that the charging networks are set up to accept systems such as ApplePay, by which the merchant doesn't actually ever get our specific credit card numbers. Is that not the case?

 

[azbill]

I had a similarly strange experience with an EA charger in South Lake Tahoe this weekend. I pulled up to the 350kwh charger and tried to get set up for charging. The charger said initiating charge but never started. Another Rivian pulled into the other 350kwh charger and got plugged in. I tried unplugging and plugging in and initiating the charge again. It's didn't work. In the meantime, his did start charging. I moved my Rivian over to the 150kwh charger next to his and tried to get set up there. I then noticed the screen where he was charging said "Hi, [my name]". I looked in my app and it said I was charging. I stopped the charge from my app and his Rivian stopped charging.

So, there is either something very screwed up at that local EA charger where the terminals are somehow miswired or they have some other bigger issue. Either way, there is a similar problem to what is described here with evGo.

I charged at that site several times last week, including Saturday, with no issues. Are you 100% sure you did not select the wrong charger number in the app? I always swipe the app first, then wait for the charger screen to tell me to plug in. EA told me a long time ago to do that way, even though the stupid screen states "plug in first".

 

[prestapost]

The problem with charging networks isn’t credit card theft, despite the unhinged post that started this thread. The problem is inconsistency in how they work, likelihood of user error, and broken chargers.

Even though this thread seems like it’s about credit card security and pci compliance, it’s really about usability. You’ll probably love your EV, but you’ll also probably have some frustrating moments at a public charger. Most of us are just glad we can do the vast majority of our charging at home

Sponsored