You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Someone added my credit card to their iPhone wallet, how do I prevent that?

Fraud detection alert informed me of a large purchase made a few hours after going through a drive thru, the only time my credit card has been used where it physically left my hand. The store with the fraudulent purchase was literally across the street from the restaurant. Credit card fraud staff were able to see it was used via Apple/iPhone wallet. This means someone scanned my card and added to their wallet in seconds. What can I do to prevent this from happening? I had not added the card to my Apple wallet, if I had would that have thrown a flag to Apple when added to a different iCloud/Apple account? What does Apple do to verify a card belongs with the wallet added?

Posted on May 25, 2023 12:26 PM

Reply
Question marked as Top-ranking reply

Posted on Jan 11, 2024 1:22 PM

This exact thing happened to me today, hence why I’m on this forum trying to figure out how this happened. I got a call from AMEX asking about “a purchase I just tried to make at a duty free store using my Apple Wallet in Dublin Ireland.” So my question is exactly the same as yours “how was someone able to put my card in their Apple Wallet?” I am in possession of my card. How did they get all of my information. I don’t even know how to now keep myself safe because I don’t know how they got the information. AMEX suggested “maybe my Apple Wallet was hacked or maybe my iPhone was hacked” is that even possible??? It was strange when I checked my Apple Wallet to see if any purchases were made I noticed that my AMEX card had a little sentence under the card that said “this card cannot be used” how and when did that happen? Who do I contact to see when my AMEX card was disabled (not removed, just disabled) from my Apple Wallet? What’s strange is when I installed my credit cards I had to contact the bank, but yet some random just was able to load my card without having to contact my bank?🤦🏻‍♀️

62 replies
Question marked as Top-ranking reply

Jan 11, 2024 1:22 PM in response to McCallSL

This exact thing happened to me today, hence why I’m on this forum trying to figure out how this happened. I got a call from AMEX asking about “a purchase I just tried to make at a duty free store using my Apple Wallet in Dublin Ireland.” So my question is exactly the same as yours “how was someone able to put my card in their Apple Wallet?” I am in possession of my card. How did they get all of my information. I don’t even know how to now keep myself safe because I don’t know how they got the information. AMEX suggested “maybe my Apple Wallet was hacked or maybe my iPhone was hacked” is that even possible??? It was strange when I checked my Apple Wallet to see if any purchases were made I noticed that my AMEX card had a little sentence under the card that said “this card cannot be used” how and when did that happen? Who do I contact to see when my AMEX card was disabled (not removed, just disabled) from my Apple Wallet? What’s strange is when I installed my credit cards I had to contact the bank, but yet some random just was able to load my card without having to contact my bank?🤦🏻‍♀️

May 26, 2023 11:52 AM in response to Jeff Donald

I appreciate both responses, but neither address my actual question. I'm trying to learn if having my card already in my Apple Wallet would have triggered an alert somewhere between Apple and card issuer when it was added to someone else's Apple Wallet.


Backstory: I was informed of a fraudulent purchase by the card issuer, which I confirmed was not me, and spoke immediately with their fraud detection department. Having my card in my possession, this was a bit of a surprise. They looked and could see (somehow) the charge was conducted in person in store via Apple Wallet. This was another surprise - how did someone add my card to their Apple Wallet? Hence my question - if I had already put the card in my own Apple Wallet, would its add to a different device have set off more bells? I received no notification when the card was added, not by Apple and not by my card issuer. I have all cards in my possession. The fraud agent said a "scan" can occur "in seconds" adding to the Apple Wallet. Yet when I do it, I have to confirm and confirm again. Somewhere there's a hole in the system and I'm trying to figure out how to make sure it does not happen again.


I don't understand what the card issuer verifies with Apple when the card is added to the wallet - of all the data both corporations have at that moment, why isn't a simple name check conducted? I can't even sign into this community without Apple requiring a verification code sent to a device and entered on screen, why the heck isn't there a two-step authorization required when adding a card to your Apple Wallet, especially if they all know some sort of scan can happen 'in seconds' that can add your card to anyone's Apple Wallet without setting off the alarms?


And for the record, perhaps I'm on the right track about adding it to your own Apple Wallet first - when I got my new card's numbers I added it (manually, of course, the physical cards are still en route) to my Apple Wallet. I next added the card to my spouse's iPhone, and good god, I'm surprised you didn't see it on the news - my home phone rang, I had a text and an urgent email, all from my credit card issuer wanting to confirm the add was legit. Want to know how to stump a Fraud agent? Ask them why they didn't do that when someone not named me added it to their device the day before...


Thanks for the good but (in my case) unnecessary advice.


I'd still love someone who might know something under the covers to give us their take on how this happens and if having the card already in your Wallet helps to trigger alarms when someone not you adds to their wallet. I think everyone who, like me, has hesitated to add their cards to their wallets would appreciate knowing if it actually adds security.

Apr 19, 2024 5:07 PM in response to McCallSL

The same thing happened to me: fraudulent charges on my credit card account made via Apple Pay. I have never used Apple Pay although I did have my credit card linked to it in case I ever needed it. It was my credit card company that suggested I do that. I had never given my Apple ID to anyone and my credit card had never left my hand. Through much research I think I figured out what happened: I have an iPhone and an iPad. While my phone was protected via facial recognition technology, I left my iPad unlocked and with the passcode off because it never leaves the house and I’m its only user. Apparently an unlocked device can be hacked. I had seen Norton warnings on my iPad but thought it was okay to use it unlocked at home. Hackers are bloody sophisticated! I have since changed my iPad passcode and turned it on and added a fingerprint. For good measure, I changed my Apple ID too. Needless to say, I informed my credit card company and cancelled my card. They were the ones who told me the charges were made via my Apple Pay, although I can’t find a record of them there. Hackers will make a “test” charge to find your Apple Pay limit. The first charge they attempted was over my Apple Pay limit (which I didn’t know I had!) and was declined so the subsequent charges were lower and went through. Eleven of them. Oh honestly — sometimes technology can be so easily used against us. Hope this helps somebody out there!

May 26, 2023 12:11 PM in response to Chattanoogan

It is something identified in their transaction details, they can see it went via Apple Pay and given it was a physical purchase the Wallet is implied. FWIW, that card was never added to my Apple Wallet. Hence my question - if it had been, would the fraudulent add have triggered an alarm. Said another way, did nothing trigger because it was not present in any other Apple Wallet?

Jan 11, 2024 3:18 PM in response to 8ethroa

Hi, welcome to the Apple Support Community. I’m happy to assist/explain the 8 month old post you’re responding to.


Please re-read the original post (the one you’re responding to). Please let me copy and paste it for your convenience;


>>the only time my credit card has been used where it physically left my hand. The store with the fraudulent purchase was literally across the street from the restaurant.<<


The Original Poster clearly stated he gave the card to a merchant (first time the card ever left his possession) and a few moments later a fraudulent charge was made at a merchant across the street. However, because a support member at his bank said it was through Apple Pay, it had to be Apple Pay’s issue. Do you possibly see the support person was poorly trained, or the Original Poster misunderstood what was said, or the support person deliberately lied to avoid any responsibility and push the issue off on Apple? There’s a dozen other things that could be wrong in the assumptions being made by the OP.


So, moving forward to your issue. What would you like to have explained so that you fully understand how Apple Pay works and can feel confident in the security of the system?

Apr 22, 2024 7:30 PM in response to Disbad

My situation...

April 10th, noticed charges on my credit card pending that I didn't make. Closed card with bank and they replaced it with a new card. Automatically placing that card into my apple wallet.

Today, I noticed 5 much larger charges were pending on my account. (same account, different card)

Went to bank again. I also noticed when I shut card off on my bank app, it showed my card was attached not only to my phone but to some other persons random phone! My bank did not automatically add my new credit card onto my apple pay this time. I am not sure if I will ever add it again except I use that to pay for my itunes and storage.

I went back through my emails and see my bank sent an email saying my phone was added to that apple pay account way back in February.

I'm just puzzled if it is my bank where they got the information, my email (which is the same for bank and apple) or apple pay. So frustrating!!

May 23, 2024 4:03 AM in response to HuzzahWell

Adding a card to Apple Pay does require additional verification steps. If a card is added manually, the bank that issued the cards takes additional steps to verify the card.


When cards are added to Apple Wallet on a device it’s issued a DPAN (Device Primary Account Number). DPAN’s are unique to each device it’s added to. When a card is reported stolen, the card is blocked and new DPAN’s are issued. Many banks <push> the updated DPAN to the remaining cards on device. When the bank updated the DPAN, it’s possible they updated the fraudsters DPAN on the Apple device it was installed on.


Another possibility is the charges on the iTunes Store are a result of a subscription. Subscriptions are automatically updated to the new card number by the PNO (Payment Network Operator — Visa, MasterCard etc.). This is a service many merchants and banks participate in. MasterCards is called Automatic Service Updater. You can learn more about it here,


https://www.mastercard.us/en-us/business/overview/grow-your-business/improve-checkout/bill-payment-services.html



Apr 23, 2024 5:13 AM in response to happyhappyjoyjoyjoy

A credit card isn’t tied to just one Apple ID. They just need to verify the card through the bank and it goes onto other device. During the verification process the bank will send verification code to information on their records. If bank is hacked, fraudster substitutes their information for yours. This is called social engineering.


If your Apple ID is compromised. They put your information on their device and socially engineer you into giving them your 2FA code.


Apple Pay uses a DPAN (Device Primary Account Number) instead of the actual account number. Each DPAN is device specific. The bank knows which device was used to complete the transaction.


The PAN (actual card number) was acquired in several ways. The most common are when you swipe or insert the card in a compromised terminal to complete a transaction. Another way is by hacking into merchants, banks or basically anywhere that has payment information. The last is by locating merchants that have weak security and do a brute force attack on their systems. One of the easiest is a brute force BIN attack.

Jul 13, 2024 4:59 PM in response to Houmalagirl

Even if they did get into the Secure Element and Secure Enclave on your iPhone, they’d get encrypted data. Encryption that your bank used. The key to decrypt the data isn’t in your iPhone/devices, it’s on your bank’s servers, not Apples.


If you want to go with that story that’s great. But the Secret Service doesn’t believe it, the FBI doesn’t believe it, the Office of the Comptroller doesn’t believe it, the Federal Reserve Bank doesn’t believe it, Federal Trade Commission doesn’t believe it, Consumer Financial Protection Bureau doesn’t believe it and people in your bank’s fraud department don’t believe it.


You talked to a tier one support person at American Express, right? But you believe what they told you. Is that right? Because they couldn’t explain it, they said call Apple.


American Express support misinformed you. Apple has no way of know if you're the account owner or the fraudster. Apple will discuss the fraud with the proper legal authorities and your bank. American Express knew that, but they wanted to just get you off the support call.


Apple only has encrypted data, they could not determine the wallet/device used if they wanted to.


American Express can see all the devices the card has been added to. It’s their card, they verified adding it to your iPhone. The bank can remove the cards/tokens from all devices if they want to. Ask their fraud department why they haven’t or won’t do it. Ask their fraud department why they authorized fraudulent charges? Apple didn’t authorize the charges. The encrypted transaction details are sent to American Express and they decrypt it and authorize or decline the transactions. Ask why they authorized fraudulent charges.


This post may come across as if I’m angry or upset. It’s just my writing style. If my post upset you, I’m sorry. That was never my intent. I’m just trying to lead you to a resolution. I'm happy to answer any questions and help anyway I can. 😀





May 26, 2023 12:55 PM in response to McCallSL

Not meaning to sound argumentative, but the advice was the solution, at least partial. Only do contactless transactions. Don’t use cards that have numbers printed on them. It’s unrealistic (in my opinion) to expect tech to protect us from ourselves. 


It’s easy to say I don’t want to use Apple Card everywhere, there’s better cash back and points with other cards. Why is that important? What’s more important, earning rewards or greater security/safety? These are personal choices.


The real issue is people learning to adopt to change, use passwords that are impossible to hack, stop doing paper transactions, paper statements and physical transactions that allow for the introduction of fraudulent characters. Not easy, and in a society that wants certain freedoms, it’s almost impossible to protect us from ourselves. 


>> >> When you add a card to Apple Pay using a third-party app such as a banking app, the app sends an account or card identifier to your device. This information is used by Apple and your card issuer to determine the eligibility of your card, set up your card with Apple Pay, and to prevent fraud. To help you set up cards that you have, or have recently had, on other devices, Apple stores a card reference with your iCloud account that can be used with the card issuer or payment network to re-add the card after entering the security code. Apple Pay does not store the original credit, debit, or prepaid card number. <<


Legal - Apple Pay & Privacy - Apple


I’m not going further than this in response. You can read the document I’ve linked to above. If after skimming/reviewing the article and you have questions, I’ll try to respond. 

Apr 20, 2024 10:32 AM in response to Disbad

The answer is your credit card account information was compromised when you used the physical card for a transaction. The information on the magnetic stripe can be skimmed, the information on the chip can be shimmed. The information (account number, expiration date, name and address, CVV security code etc.) is sold on the Dark Web. Bad actors buy the information and attempt to add it to their Apple and Android devices. The bank approves and verifies adding the information and bad actors make fraudulent transactions on their Apple/Android device until the bank issuing the card figures it out and blocks the card.

May 23, 2024 6:37 AM in response to Chattanoogan

The real solution is around the corner. Visa announced Tuesday changes to their cards starting in 2026. Basically, they become like Apple Card Mastercard. There will be no numbers printed on the card, front or back and eventually no magnetic stripe or chip. They will rely on services like Apple Pay and Tap-To-Pay. But it’ll give the option to choose whether to use debit or credit card or set preferences, like transactions under a set amount will be debit charges etc. You’ll even be able to switch after the transaction is completed.


Mastercard has already announced that starting in 2026, no more magnetic stripes.



Someone added my credit card to their iPhone wallet, how do I prevent that?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.