Someone added my credit card to their iPhone wallet, how do I prevent that?

This exact thing happened to me today, hence why I’m on this forum trying to figure out how this happened. I got a call from AMEX asking about “a purchase I just tried to make at a duty free store using my Apple Wallet in Dublin Ireland.” So my question is exactly the same as yours “how was someone able to put my card in their Apple Wallet?” I am in possession of my card. How did they get all of my information. I don’t even know how to now keep myself safe because I don’t know how they got the information. AMEX suggested “maybe my Apple Wallet was hacked or maybe my iPhone was hacked” is that even possible??? It was strange when I checked my Apple Wallet to see if any purchases were made I noticed that my AMEX card had a little sentence under the card that said “this card cannot be used” how and when did that happen? Who do I contact to see when my AMEX card was disabled (not removed, just disabled) from my Apple Wallet? What’s strange is when I installed my credit cards I had to contact the bank, but yet some random just was able to load my card without having to contact my bank?🤦🏻‍♀️

Unfortunately, Apple Pay doesn’t prevent credit card fraud perpetrated the “old fashioned way.”

As far as the fraudsters being able to add it to THEIR Apple Wallet, it would be quite illuminating to know exactly what methods and criteria your issuer used for the “verification.”

(although I doubt if they would ever share it with you)

That doesn’t explain your situation. A payment method can’t be added to an Apple device that doesn’t have biometrics or a passcode with Two Factor Authentication enabled. If you turn off your Face ID/biometrics or disable 2FA your payment methods are instantly removed.

My situation...

April 10th, noticed charges on my credit card pending that I didn't make. Closed card with bank and they replaced it with a new card. Automatically placing that card into my apple wallet.

Today, I noticed 5 much larger charges were pending on my account. (same account, different card)

Went to bank again. I also noticed when I shut card off on my bank app, it showed my card was attached not only to my phone but to some other persons random phone! My bank did not automatically add my new credit card onto my apple pay this time. I am not sure if I will ever add it again except I use that to pay for my itunes and storage.

I went back through my emails and see my bank sent an email saying my phone was added to that apple pay account way back in February.

I'm just puzzled if it is my bank where they got the information, my email (which is the same for bank and apple) or apple pay. So frustrating!!

A credit card isn’t tied to just one Apple ID. They just need to verify the card through the bank and it goes onto other device. During the verification process the bank will send verification code to information on their records. If bank is hacked, fraudster substitutes their information for yours. This is called social engineering.

If your Apple ID is compromised. They put your information on their device and socially engineer you into giving them your 2FA code.

Apple Pay uses a DPAN (Device Primary Account Number) instead of the actual account number. Each DPAN is device specific. The bank knows which device was used to complete the transaction.

The PAN (actual card number) was acquired in several ways. The most common are when you swipe or insert the card in a compromised terminal to complete a transaction. Another way is by hacking into merchants, banks or basically anywhere that has payment information. The last is by locating merchants that have weak security and do a brute force attack on their systems. One of the easiest is a brute force BIN attack.

Not meaning to sound argumentative, but the advice was the solution, at least partial. Only do contactless transactions. Don’t use cards that have numbers printed on them. It’s unrealistic (in my opinion) to expect tech to protect us from ourselves. 

It’s easy to say I don’t want to use Apple Card everywhere, there’s better cash back and points with other cards. Why is that important? What’s more important, earning rewards or greater security/safety? These are personal choices.

The real issue is people learning to adopt to change, use passwords that are impossible to hack, stop doing paper transactions, paper statements and physical transactions that allow for the introduction of fraudulent characters. Not easy, and in a society that wants certain freedoms, it’s almost impossible to protect us from ourselves. 

>> >> When you add a card to Apple Pay using a third-party app such as a banking app, the app sends an account or card identifier to your device. This information is used by Apple and your card issuer to determine the eligibility of your card, set up your card with Apple Pay, and to prevent fraud. To help you set up cards that you have, or have recently had, on other devices, Apple stores a card reference with your iCloud account that can be used with the card issuer or payment network to re-add the card after entering the security code. Apple Pay does not store the original credit, debit, or prepaid card number. <<

Legal - Apple Pay & Privacy - Apple

I’m not going further than this in response. You can read the document I’ve linked to above. If after skimming/reviewing the article and you have questions, I’ll try to respond. 

The bottom line is that no-one here can say if Apple has the kind of triggers you assume. Since we’re just users like yourself and not Apple employees or official Apple support, we don't have any insider knowledge.

Hi, welcome to the Apple Support Community. I’m happy to assist/explain the 8 month old post you’re responding to.

Please re-read the original post (the one you’re responding to). Please let me copy and paste it for your convenience;

>>the only time my credit card has been used where it physically left my hand. The store with the fraudulent purchase was literally across the street from the restaurant.<<

The Original Poster clearly stated he gave the card to a merchant (first time the card ever left his possession) and a few moments later a fraudulent charge was made at a merchant across the street. However, because a support member at his bank said it was through Apple Pay, it had to be Apple Pay’s issue. Do you possibly see the support person was poorly trained, or the Original Poster misunderstood what was said, or the support person deliberately lied to avoid any responsibility and push the issue off on Apple? There’s a dozen other things that could be wrong in the assumptions being made by the OP.

So, moving forward to your issue. What would you like to have explained so that you fully understand how Apple Pay works and can feel confident in the security of the system?

The same thing happened to me: fraudulent charges on my credit card account made via Apple Pay. I have never used Apple Pay although I did have my credit card linked to it in case I ever needed it. It was my credit card company that suggested I do that. I had never given my Apple ID to anyone and my credit card had never left my hand. Through much research I think I figured out what happened: I have an iPhone and an iPad. While my phone was protected via facial recognition technology, I left my iPad unlocked and with the passcode off because it never leaves the house and I’m its only user. Apparently an unlocked device can be hacked. I had seen Norton warnings on my iPad but thought it was okay to use it unlocked at home. Hackers are bloody sophisticated! I have since changed my iPad passcode and turned it on and added a fingerprint. For good measure, I changed my Apple ID too. Needless to say, I informed my credit card company and cancelled my card. They were the ones who told me the charges were made via my Apple Pay, although I can’t find a record of them there. Hackers will make a “test” charge to find your Apple Pay limit. The first charge they attempted was over my Apple Pay limit (which I didn’t know I had!) and was declined so the subsequent charges were lower and went through. Eleven of them. Oh honestly — sometimes technology can be so easily used against us. Hope this helps somebody out there!

The answer is your credit card account information was compromised when you used the physical card for a transaction. The information on the magnetic stripe can be skimmed, the information on the chip can be shimmed. The information (account number, expiration date, name and address, CVV security code etc.) is sold on the Dark Web. Bad actors buy the information and attempt to add it to their Apple and Android devices. The bank approves and verifies adding the information and bad actors make fraudulent transactions on their Apple/Android device until the bank issuing the card figures it out and blocks the card.

Link was missing from copy & paste. Sorry.

Legal - Apple Pay & Privacy - Apple

Whenever I add a card to my Wallet app I am prompted to input the three digit CCV code. this means whoever did this had physical possession of your card. You seem to indicate you were at a restaurant across the street. Did you hand your card over a waiter for payment? If so there’s a real possibility that your card was comprised at that point. And using your card in an iPhone Wallet is no different than using the physical card to make a fraudulent purchase.

Bottom line, someone cannot add your credit card to their iPhone Wallet app unless they had all the information required. Adding a card is between the user and their bank/credit card company, not Apple. You could, for example, let your wife or other family member add your card to their Wallet apps. Apple has no way of knowing if the card belongs in the Wallet.

Of course you need to cancel your card and get a new one issued. You should call your credit card company and dispute the charge of course.

Excellent post by Ikrupp, but just adding additional information, if your use your physical card and swipe it, your card information may be compromised by a practice called >skimming< and if you use the chip in the card, it’s subject to >shimming< and again, all the data may be compromised and used for fraudulent activity.

The safest method to prevent this is using Apple Pay and Tap-to-Pay where it’s available. I understand that restaurants don’t always support either of those payment methods, and as an alternative use a credit card like Apple Card MasterCard which does not have your card number, expiration date or CVV/CVC printed on the the card.