Someone added my credit card to their iPhone wallet, how do I prevent that?

Whenever I add a card to my Wallet app I am prompted to input the three digit CCV code. this means whoever did this had physical possession of your card. You seem to indicate you were at a restaurant across the street. Did you hand your card over a waiter for payment? If so there’s a real possibility that your card was comprised at that point. And using your card in an iPhone Wallet is no different than using the physical card to make a fraudulent purchase.

Bottom line, someone cannot add your credit card to their iPhone Wallet app unless they had all the information required. Adding a card is between the user and their bank/credit card company, not Apple. You could, for example, let your wife or other family member add your card to their Wallet apps. Apple has no way of knowing if the card belongs in the Wallet.

Of course you need to cancel your card and get a new one issued. You should call your credit card company and dispute the charge of course.

Excellent post by Ikrupp, but just adding additional information, if your use your physical card and swipe it, your card information may be compromised by a practice called >skimming< and if you use the chip in the card, it’s subject to >shimming< and again, all the data may be compromised and used for fraudulent activity.

The safest method to prevent this is using Apple Pay and Tap-to-Pay where it’s available. I understand that restaurants don’t always support either of those payment methods, and as an alternative use a credit card like Apple Card MasterCard which does not have your card number, expiration date or CVV/CVC printed on the the card.

Adding to Jeff’s excellent reply and getting back to your initial question:

”Someone added my credit card to their iPhone wallet, how do I prevent that?”

It might appear that the most effective way is by adding it to YOUR wallet.

That combined with NEVER allowing a physical card - with all of your account details fully exposed AND containing an easily copied mag-strip - out of your sight.

Re: “… This means someone scanned my card and added to their wallet …

Unfortunately, legacy cards can still be compromised via tried-and true “old-fashioned” methods.

Anytime you give-up physical control of a legacy card “out in the wild”, it’s an opportunity for compromise.

As far as to how they were placed in the fraudster’s wallet; that means that they HAD to negotiate your card issuer’s verification safeguards.

Leaving a few possibilities. Some examples:

• The methods your issuer used to verify you were compromised. (e.g. your email, phone numbers, or other methods)

• The issuer used insufficiently confidential means to verify you. (e.g. the means were based on too-general info reasonably known to — or obtainable by — others)

• The issuer’s verification system was not working (e.g. “in maintenance / test mode”) and passed-thru the wallet installation w/o applying the appropriate safeguards)

• It was an “inside” job.

Regardless, I’d encourage you to query your issuer to determine exactly WHAT verification methods were used for the fraudulent wallet installation.

I doubt if your issuer’s fraud department will reveal this info w/o some “prying” on your part. They might well refuse to reveal it altogether.

However, your issuer was apparently “convinced” that the fraudster WAS you. It seems a reasonable request for you - as the bank’s customer - to understand HOW this fraud was committed.

This is an interesting thread.

I too find it difficult to believe that your card could be added to another wallet given the built-in cross-checks involved in that process.

My own “suspicion” is that the fraudulent transaction across the street was actually a CNP (card not present) transaction - where the digits are manually typed-in - or else a cloned mag-strip “swipe” transaction.

And that that the “human” in the fraud department simply saw that you were enrolled in Apple Pay and imprecisely mis-spoke. (or else his display software simply couldn’t provide the granularity to accurately distinguish between transaction types)

I’d call them back and re-confirm how they distinguish between CNP, EMV (Chip), Tap-to-Pay (card based), Mag-Strip “Swipe” and ApplePay transactions.

Of these options, CNP and “Swipe” are the most vulnerable to fraud.

That’s going to depend on the bank. Some send notifications and some may not. The banks I deal with have always emailed me at the email address they have on file. In order for Apple to insure the privacy, the information they receive and retain is anonymous and Apple cannot tie it to a specific account or user. Your bank however, approves and verifies account information and identity and then sends the token to Apple servers, who then sends it to your device.

The answer is your credit card account information was compromised when you used the physical card for a transaction. The information on the magnetic stripe can be skimmed, the information on the chip can be shimmed. The information (account number, expiration date, name and address, CVV security code etc.) is sold on the Dark Web. Bad actors buy the information and attempt to add it to their Apple and Android devices. The bank approves and verifies adding the information and bad actors make fraudulent transactions on their Apple/Android device until the bank issuing the card figures it out and blocks the card.

The bank that issued the card, also verified the card and added it to the device. Call the number on the back of the card and report the fraud. The bank controls the card when added to device and can have card removed.

Not meaning to sound argumentative, but the advice was the solution, at least partial. Only do contactless transactions. Don’t use cards that have numbers printed on them. It’s unrealistic (in my opinion) to expect tech to protect us from ourselves. 

It’s easy to say I don’t want to use Apple Card everywhere, there’s better cash back and points with other cards. Why is that important? What’s more important, earning rewards or greater security/safety? These are personal choices.

The real issue is people learning to adopt to change, use passwords that are impossible to hack, stop doing paper transactions, paper statements and physical transactions that allow for the introduction of fraudulent characters. Not easy, and in a society that wants certain freedoms, it’s almost impossible to protect us from ourselves. 

>> >> When you add a card to Apple Pay using a third-party app such as a banking app, the app sends an account or card identifier to your device. This information is used by Apple and your card issuer to determine the eligibility of your card, set up your card with Apple Pay, and to prevent fraud. To help you set up cards that you have, or have recently had, on other devices, Apple stores a card reference with your iCloud account that can be used with the card issuer or payment network to re-add the card after entering the security code. Apple Pay does not store the original credit, debit, or prepaid card number. <<

Legal - Apple Pay & Privacy - Apple

I’m not going further than this in response. You can read the document I’ve linked to above. If after skimming/reviewing the article and you have questions, I’ll try to respond. 

The same thing happened to me: fraudulent charges on my credit card account made via Apple Pay. I have never used Apple Pay although I did have my credit card linked to it in case I ever needed it. It was my credit card company that suggested I do that. I had never given my Apple ID to anyone and my credit card had never left my hand. Through much research I think I figured out what happened: I have an iPhone and an iPad. While my phone was protected via facial recognition technology, I left my iPad unlocked and with the passcode off because it never leaves the house and I’m its only user. Apparently an unlocked device can be hacked. I had seen Norton warnings on my iPad but thought it was okay to use it unlocked at home. Hackers are bloody sophisticated! I have since changed my iPad passcode and turned it on and added a fingerprint. For good measure, I changed my Apple ID too. Needless to say, I informed my credit card company and cancelled my card. They were the ones who told me the charges were made via my Apple Pay, although I can’t find a record of them there. Hackers will make a “test” charge to find your Apple Pay limit. The first charge they attempted was over my Apple Pay limit (which I didn’t know I had!) and was declined so the subsequent charges were lower and went through. Eleven of them. Oh honestly — sometimes technology can be so easily used against us. Hope this helps somebody out there!

A credit card isn’t tied to just one Apple ID. They just need to verify the card through the bank and it goes onto other device. During the verification process the bank will send verification code to information on their records. If bank is hacked, fraudster substitutes their information for yours. This is called social engineering.

If your Apple ID is compromised. They put your information on their device and socially engineer you into giving them your 2FA code.

Apple Pay uses a DPAN (Device Primary Account Number) instead of the actual account number. Each DPAN is device specific. The bank knows which device was used to complete the transaction.

The PAN (actual card number) was acquired in several ways. The most common are when you swipe or insert the card in a compromised terminal to complete a transaction. Another way is by hacking into merchants, banks or basically anywhere that has payment information. The last is by locating merchants that have weak security and do a brute force attack on their systems. One of the easiest is a brute force BIN attack.

Adding a card to Apple Pay does require additional verification steps. If a card is added manually, the bank that issued the cards takes additional steps to verify the card.

When cards are added to Apple Wallet on a device it’s issued a DPAN (Device Primary Account Number). DPAN’s are unique to each device it’s added to. When a card is reported stolen, the card is blocked and new DPAN’s are issued. Many banks <push> the updated DPAN to the remaining cards on device. When the bank updated the DPAN, it’s possible they updated the fraudsters DPAN on the Apple device it was installed on.

Another possibility is the charges on the iTunes Store are a result of a subscription. Subscriptions are automatically updated to the new card number by the PNO (Payment Network Operator — Visa, MasterCard etc.). This is a service many merchants and banks participate in. MasterCards is called Automatic Service Updater. You can learn more about it here,

https://www.mastercard.us/en-us/business/overview/grow-your-business/improve-checkout/bill-payment-services.html

Re: “… Cancelling a card should automatically remove it from Apple Pay. Or Apple Pay does a check for validity with the credit card company each time a payment is attempted …”

ApplePay - more accurately the world-wide payments infrastructure - IS checking for validity … with EVERY charge processed.

It all comes down to the fundamental security and validity of an issuer’s “Verification” processes.

As far as cancelling a compromised physical ALSO cancelling in-wallet cards …

At least with the “major” issuers - cancelling a compromised card generally results in an automatic update of your ApplePay wallet.

From a service perspective, this is quite useful as it allows you to resume using your card BEFORE the physical replacement arrives.

Unfortunately, it assumes that a card - once installed in an Apple Wallet - is valid and under the control of the card owner or an authorized user.

We’re seeing that this is possibly not necessary true; apparently fraudsters have found ways to successfully negotiate some issuer’s verification processes.

Once issuers start feeling the pain from “eating” the costs of more fraudulent charges, I’d suspect that increasingly sophisticated “validation” - less phishable - methods might be implemented.

Of couse, w/ CCard interest rates - and issuer profits - being what they are … issuers can “eat” a lot of fraudulent use before it becomes sufficiently painful to decisively act. 🤔

Apple would have more than likely stopped the card from being added. Fraudsters get around this by using the mobile app or website for the bank that issued the card. By going through the app, the bank allows Two Factor Authentication (2FA) to be bypassed. The mobile apps allow fraudsters to just answer one or two security questions and no 2FA that requires your approval. Banks referring to this lowering customer friction, mean frustration and anger when they have issues adding it themselves to Apple Wallet app.