Apple Pay has been hacked, what to do?

So, from day one you added the card to Apple Pay and have used Apple Pay on your iPhone for every transaction since?

You’re saying you’ve never swiped your card or inserted your card in a transaction terminal? Not once never?

Wow, you didn’t read my reply. I’ll copy and paste it again for your convenience. You need to secure your Apple ID Account before more cards are compromised.

>>No, Apple Pay cannot be >hacked<. All the numbers credit/debit cards on your iPhone are encrypted. Your iPhone doesn’t have the key to decrypt, Apple doesn’t have the key, the merchant doesn’t have the key, only your bank has the key.

However, humans make mistakes. If you were tricked into revealing your Two Factor Authentication code or your Apple ID Account was hacked, the issue is on you.

You need to change the password to your Apple ID and remove any devices you do not recognize listed on your Apple ID Account.<<

bobdigital wrote:

Jeff you seem to be well informed so had a question. Today someone attempted fraud using what GS says was Apple Pay. It was declined bc of a mismatch of information (what I assume was my Apple Card # and the date/CVV). I have not shared my 2FA with anyone nor did I receive any 2FA request on my Apple devices prior to the attempted fraud. I have never used my physical Apple Card nor have I entered my digital Apple Card # into any payment gateway. I have only used my Apple Card via Apple Pay 1) online and 2) via Apple Pay in a few physical stores. All this said, they want me to change my Apple ID password. I don't mind doing it, but I haven't seen any signs of someone trying to login in with a compromised ID/Pass anywhere so I don't believe that's how the fraud happened. Do you think someone just used an emulator to try random 16-digit combinations of credit cards #s with random expiration dates and CVVs?

Most likely one of the stores where you used Apple Pay was hacked, and your card number and expiration were stolen, then someone tried to add the card using that information to their Apple Pay, which failed, of course.

Yes, a mass attack is certainly a possibility. These attacks are know as a brute force BIN attacks. Fraudulent actors gain access to a smaller business with weak security. They know the first 6 digits of the credit card is the Bank Identification Number (BIN) and put through tens of thousands of numbers and collect the hits that work. Then they use the numbers in a website and collect the transactions.

Stolenfrom wrote:

I have two $500 charges on Apple Pay that I did not authorize and I don’t know how they did it. I want to see if the money can be refunded thanks.

Contact your Card issuer or bank and the merchant the charges are from to dispute the charges.

click here ➜ See your Apple Pay transaction history - Apple Support

No, Apple Pay cannot be >hacked<. All the numbers credit/debit cards on your iPhone are encrypted. Your iPhone doesn’t have the key to decrypt, Apple doesn’t have the key, the merchant doesn’t have the key, only your bank has the key.

However, humans make mistakes. If you were tricked into revealing your Two Factor Authentication code or your Apple ID Account was hacked, the issue is on you.

You need to change the password to your Apple ID and remove any devices you do not recognize listed on your Apple ID Account.

Yes, your statement is correct and the raw (decrypted) data is encrypted and neither Apple or your iPhone has the raw data. The encrypted data is transmitted to the bank and they verify the data is good and authorize (verify) the card to be added to Apple Wallet. The bank and only the bank has the key to decrypt the data. Any raw data entered via device is deleted and only encrypted data is stored on device or Apple servers.

When a transaction is started, a one time use token (encrypted) is generated and used throughout the transaction process. All the merchants ends up with is an approval or a decline, transaction number and last four digits of the token/device number, that can be used as an identifier in case of refund or dispute. If Apple Pay is used, the merchant has very little information and none is really usable.

Sharing an MFA code is more likely or hacking an Apple ID/iCloud account. My Apple ID account password is over 35 characters. It’s easy to remember too.

So, Apple Card has 3 sets of numbers. One number is the mag stripe/chip, another number is the virtual number you can change in the Apple Wallet/Apple Card. The third number is the device number. That’s the encrypted number that only the bank has the key to. The other 2 numbers are the standard 16 digit number. But the length of the device number is unknown. The last 4 digits of the device number are disclosed in the Wallet app and this is to facilitate returns and refunds.

The first 6 digits for the 16 digit card number identifies the bank (BIN). The link below may help.

https://chargebacks911.com/bank-identification-numbers/

If I’m a fraudulent actor I target a single bank using the first 6 numbers. Then I attack a merchant account with a list of numbers behind the 6 digit BIN target. It’s random, but it works. The first transaction is usually small so as not to attract attention. Those account numbers that get a successful transaction are recorded and exploited at a later date.

One of the biggest loopholes is the transit card feature. The transit companies security is fairly low, in my opinion, and data is being captured when people use that feature. But the real problem was Visa and MasterCard. This security issue was mostly, if not completely plugged last year. But if devices aren’t updated etc., issues can continue. It also took Visa a while to acknowledge their issue and block the exploit on their side. You can search the internet for much the details.

Just like on the forums here, many things you’ll read on the internet refer to Apple Pay being hacked, when it reality it’s just simple fraud on their Apple Cash account. The account holder/owner sends money for the purchase of goods or services and disappears. But the post you’ll read is “My Apple Pay was Hacked!”

Another method of fraud is numbers sold on the dark web. These are usually attained by fraudulent actors using a skimmer (collects data off mag stripe) or a shimmer (collects data off the chip) when the physical card is used for transactions. The number is then sold on the Dark Web and can be added to an Apple Pay account.

No, your credit card number was skimmed or shimmed. Skimming is when you swipe your card and the magnetic data is captured by a device called a skimmer. Fraudulent actors then enter the data online or create a fraudulent card (fake) with your data. A shimmer is similar, but captures data off the chip.

Please contact your credit card servicer by call the phone number on the back of the compromised card. When calling ask for the fraud department.

No, your Apple Pay was not hacked. Your credit card was compromised. It had nothing to do with Apple Pay, which is just one more way to use a credit or debit card, and actually a more secure way than using the actual card because it cannot be”skimmed” by a hacked card terminal.

No such thing as an Apple Pay account. Apple Pay is a payment conduit not an account.

Not sure what messages you are receiving form your watch, but no one, can log in to an account that does not actually exist.

If the messages you are receiving on your Apple Watch are emails or even SMS messages, then they are very likely scams.

Your Apple Wallet is never charged, it is a passthrough for credit and debit cards. But the wallet itself is never involved it a transaction. Payment methods you have in your Apple wallet can be defrauded, but that does not mean the wallet had anything to do with the transaction. A credit or debit card can be compromised in many ways, but not through Apple Wallet.

Most likely your card was either skimmed or shimmed. Skimming gathers card information off the magnetic strip on the card. This typically is done at gas stations, ATM machines or convenience stores. Shimming is similar but gathers data from the chip. Once a fraudulent actor has the data they can sell it on the Dark Web and/or make hundreds of fake credit cards. The information can be added to an Apple or Android device and digital wallets can be used for transactions online and in person.

Apple is not a bank and only stores and has access to encrypted card information. iPhone is a secure device that transmits encrypted data between your iPhone, the merchant, Payment Network (Mastercard, Visa etc.) and the issuing bank. Apple, your iPhone and the merchant do not have the key to decrypt the data. Only the issuing bank has the key. Only the issuing bank can approve or decline any transaction.

Call the fraud department at the issuing bank of the compromised credit card(s). The number is on the back of the card. You may also file a police report. M

What do you mean by the Wallet’s >insignia<?

If you want to assume that the Wallet was compromised, all they would have been able to retrieve was encrypted data that your bank put there as part of the provisioning of the card for addition to Apple Wallet. How did the >hackers< gain access to the key, that only the bank has?