Someone added my credit card to their iPhone wallet, how do I prevent that?

This exact thing happened to me today, hence why I’m on this forum trying to figure out how this happened. I got a call from AMEX asking about “a purchase I just tried to make at a duty free store using my Apple Wallet in Dublin Ireland.” So my question is exactly the same as yours “how was someone able to put my card in their Apple Wallet?” I am in possession of my card. How did they get all of my information. I don’t even know how to now keep myself safe because I don’t know how they got the information. AMEX suggested “maybe my Apple Wallet was hacked or maybe my iPhone was hacked” is that even possible??? It was strange when I checked my Apple Wallet to see if any purchases were made I noticed that my AMEX card had a little sentence under the card that said “this card cannot be used” how and when did that happen? Who do I contact to see when my AMEX card was disabled (not removed, just disabled) from my Apple Wallet? What’s strange is when I installed my credit cards I had to contact the bank, but yet some random just was able to load my card without having to contact my bank?🤦🏻‍♀️

The same thing happened to me: fraudulent charges on my credit card account made via Apple Pay. I have never used Apple Pay although I did have my credit card linked to it in case I ever needed it. It was my credit card company that suggested I do that. I had never given my Apple ID to anyone and my credit card had never left my hand. Through much research I think I figured out what happened: I have an iPhone and an iPad. While my phone was protected via facial recognition technology, I left my iPad unlocked and with the passcode off because it never leaves the house and I’m its only user. Apparently an unlocked device can be hacked. I had seen Norton warnings on my iPad but thought it was okay to use it unlocked at home. Hackers are bloody sophisticated! I have since changed my iPad passcode and turned it on and added a fingerprint. For good measure, I changed my Apple ID too. Needless to say, I informed my credit card company and cancelled my card. They were the ones who told me the charges were made via my Apple Pay, although I can’t find a record of them there. Hackers will make a “test” charge to find your Apple Pay limit. The first charge they attempted was over my Apple Pay limit (which I didn’t know I had!) and was declined so the subsequent charges were lower and went through. Eleven of them. Oh honestly — sometimes technology can be so easily used against us. Hope this helps somebody out there!

Hi, welcome to the Apple Support Community. I’m happy to assist/explain the 8 month old post you’re responding to.

Please re-read the original post (the one you’re responding to). Please let me copy and paste it for your convenience;

>>the only time my credit card has been used where it physically left my hand. The store with the fraudulent purchase was literally across the street from the restaurant.<<

The Original Poster clearly stated he gave the card to a merchant (first time the card ever left his possession) and a few moments later a fraudulent charge was made at a merchant across the street. However, because a support member at his bank said it was through Apple Pay, it had to be Apple Pay’s issue. Do you possibly see the support person was poorly trained, or the Original Poster misunderstood what was said, or the support person deliberately lied to avoid any responsibility and push the issue off on Apple? There’s a dozen other things that could be wrong in the assumptions being made by the OP.

So, moving forward to your issue. What would you like to have explained so that you fully understand how Apple Pay works and can feel confident in the security of the system?

My situation...

April 10th, noticed charges on my credit card pending that I didn't make. Closed card with bank and they replaced it with a new card. Automatically placing that card into my apple wallet.

Today, I noticed 5 much larger charges were pending on my account. (same account, different card)

Went to bank again. I also noticed when I shut card off on my bank app, it showed my card was attached not only to my phone but to some other persons random phone! My bank did not automatically add my new credit card onto my apple pay this time. I am not sure if I will ever add it again except I use that to pay for my itunes and storage.

I went back through my emails and see my bank sent an email saying my phone was added to that apple pay account way back in February.

I'm just puzzled if it is my bank where they got the information, my email (which is the same for bank and apple) or apple pay. So frustrating!!

Adding a card to Apple Pay does require additional verification steps. If a card is added manually, the bank that issued the cards takes additional steps to verify the card.

When cards are added to Apple Wallet on a device it’s issued a DPAN (Device Primary Account Number). DPAN’s are unique to each device it’s added to. When a card is reported stolen, the card is blocked and new DPAN’s are issued. Many banks <push> the updated DPAN to the remaining cards on device. When the bank updated the DPAN, it’s possible they updated the fraudsters DPAN on the Apple device it was installed on.

Another possibility is the charges on the iTunes Store are a result of a subscription. Subscriptions are automatically updated to the new card number by the PNO (Payment Network Operator — Visa, MasterCard etc.). This is a service many merchants and banks participate in. MasterCards is called Automatic Service Updater. You can learn more about it here,

https://www.mastercard.us/en-us/business/overview/grow-your-business/improve-checkout/bill-payment-services.html

Unfortunately, Apple Pay doesn’t prevent credit card fraud perpetrated the “old fashioned way.”

As far as the fraudsters being able to add it to THEIR Apple Wallet, it would be quite illuminating to know exactly what methods and criteria your issuer used for the “verification.”

(although I doubt if they would ever share it with you)

That doesn’t explain your situation. A payment method can’t be added to an Apple device that doesn’t have biometrics or a passcode with Two Factor Authentication enabled. If you turn off your Face ID/biometrics or disable 2FA your payment methods are instantly removed.

A credit card isn’t tied to just one Apple ID. They just need to verify the card through the bank and it goes onto other device. During the verification process the bank will send verification code to information on their records. If bank is hacked, fraudster substitutes their information for yours. This is called social engineering.

If your Apple ID is compromised. They put your information on their device and socially engineer you into giving them your 2FA code.

Apple Pay uses a DPAN (Device Primary Account Number) instead of the actual account number. Each DPAN is device specific. The bank knows which device was used to complete the transaction.

The PAN (actual card number) was acquired in several ways. The most common are when you swipe or insert the card in a compromised terminal to complete a transaction. Another way is by hacking into merchants, banks or basically anywhere that has payment information. The last is by locating merchants that have weak security and do a brute force attack on their systems. One of the easiest is a brute force BIN attack.

Not meaning to sound argumentative, but the advice was the solution, at least partial. Only do contactless transactions. Don’t use cards that have numbers printed on them. It’s unrealistic (in my opinion) to expect tech to protect us from ourselves. 

It’s easy to say I don’t want to use Apple Card everywhere, there’s better cash back and points with other cards. Why is that important? What’s more important, earning rewards or greater security/safety? These are personal choices.

The real issue is people learning to adopt to change, use passwords that are impossible to hack, stop doing paper transactions, paper statements and physical transactions that allow for the introduction of fraudulent characters. Not easy, and in a society that wants certain freedoms, it’s almost impossible to protect us from ourselves. 

>> >> When you add a card to Apple Pay using a third-party app such as a banking app, the app sends an account or card identifier to your device. This information is used by Apple and your card issuer to determine the eligibility of your card, set up your card with Apple Pay, and to prevent fraud. To help you set up cards that you have, or have recently had, on other devices, Apple stores a card reference with your iCloud account that can be used with the card issuer or payment network to re-add the card after entering the security code. Apple Pay does not store the original credit, debit, or prepaid card number. <<

Legal - Apple Pay & Privacy - Apple

I’m not going further than this in response. You can read the document I’ve linked to above. If after skimming/reviewing the article and you have questions, I’ll try to respond. 

The answer is your credit card account information was compromised when you used the physical card for a transaction. The information on the magnetic stripe can be skimmed, the information on the chip can be shimmed. The information (account number, expiration date, name and address, CVV security code etc.) is sold on the Dark Web. Bad actors buy the information and attempt to add it to their Apple and Android devices. The bank approves and verifies adding the information and bad actors make fraudulent transactions on their Apple/Android device until the bank issuing the card figures it out and blocks the card.

The real solution is around the corner. Visa announced Tuesday changes to their cards starting in 2026. Basically, they become like Apple Card Mastercard. There will be no numbers printed on the card, front or back and eventually no magnetic stripe or chip. They will rely on services like Apple Pay and Tap-To-Pay. But it’ll give the option to choose whether to use debit or credit card or set preferences, like transactions under a set amount will be debit charges etc. You’ll even be able to switch after the transaction is completed.

Mastercard has already announced that starting in 2026, no more magnetic stripes.

Even if they did get into the Secure Element and Secure Enclave on your iPhone, they’d get encrypted data. Encryption that your bank used. The key to decrypt the data isn’t in your iPhone/devices, it’s on your bank’s servers, not Apples.

If you want to go with that story that’s great. But the Secret Service doesn’t believe it, the FBI doesn’t believe it, the Office of the Comptroller doesn’t believe it, the Federal Reserve Bank doesn’t believe it, Federal Trade Commission doesn’t believe it, Consumer Financial Protection Bureau doesn’t believe it and people in your bank’s fraud department don’t believe it.

You talked to a tier one support person at American Express, right? But you believe what they told you. Is that right? Because they couldn’t explain it, they said call Apple.

American Express support misinformed you. Apple has no way of know if you're the account owner or the fraudster. Apple will discuss the fraud with the proper legal authorities and your bank. American Express knew that, but they wanted to just get you off the support call.

Apple only has encrypted data, they could not determine the wallet/device used if they wanted to.

American Express can see all the devices the card has been added to. It’s their card, they verified adding it to your iPhone. The bank can remove the cards/tokens from all devices if they want to. Ask their fraud department why they haven’t or won’t do it. Ask their fraud department why they authorized fraudulent charges? Apple didn’t authorize the charges. The encrypted transaction details are sent to American Express and they decrypt it and authorize or decline the transactions. Ask why they authorized fraudulent charges.

This post may come across as if I’m angry or upset. It’s just my writing style. If my post upset you, I’m sorry. That was never my intent. I’m just trying to lead you to a resolution. I'm happy to answer any questions and help anyway I can. 😀

The bank that issued the card, also verified the card and added it to the device. Call the number on the back of the card and report the fraud. The bank controls the card when added to device and can have card removed.