Someone added my credit card to their iPhone wallet, how do I prevent that?

The bottom line is that no-one here can say if Apple has the kind of triggers you assume. Since we’re just users like yourself and not Apple employees or official Apple support, we don't have any insider knowledge.

I have two cards in my apple wallet in addition to the Apple credit card. I also physically carry them with me. We received notification on the same day by both card companies (Citi and Chase) they were flagged for suspicious purchases. Both cards had uber eats and a Lyft charge. Both charges were from south of Los Angeles and we live in Tennessee. Neither card had been used physically in the week before the charges. I had used one of the cards for an online purchase using the apple wallet the day before the fraudulent charges were attempted. Really curious. Cancelled both cards and changed passwords. Apple support said there is no way to add a stolen card to someone's wallet without my knowledge and that certainly makes sense...

Thank you for the reply…the odd thing is this happened to two different cards…implying both cards were used and then skimmed at the same…I reviewed all my statements and found I’ve never used these 2 cards at the same time or place…and both fraudulent charges were for the same thing (Uber Eats and Lyft)…and both credit card companies stated it was Apple Pay…I agree with Apple this makes no sense / is not possible, but the whole situation is baffling.

The problem is even worse than I thought. I accidentally left my credit card in a store. The same day I reported it to my credit card as lost/stolen.

This morning the REPLACEMENT CARD we haven’t even received was used in Apple Pay. Which means they added the original card to their own iTunes account yesterday and it retained the account info in iTunes even though the card had been cancelled.

Cancelling a card should automatically remove it from Apple Pay. Or Apple Pay does a check for validity with the credit card company each time a payment is attempted. Who knows, maybe they do this on a daily basis or something already.

Adding a card in Apple Pay should require two factor authentication through the credit card company to the cardholder, not just verification that the card is valid.

Re: “… Cancelling a card should automatically remove it from Apple Pay. Or Apple Pay does a check for validity with the credit card company each time a payment is attempted …”

ApplePay - more accurately the world-wide payments infrastructure - IS checking for validity … with EVERY charge processed.

It all comes down to the fundamental security and validity of an issuer’s “Verification” processes.

As far as cancelling a compromised physical ALSO cancelling in-wallet cards …

At least with the “major” issuers - cancelling a compromised card generally results in an automatic update of your ApplePay wallet.

From a service perspective, this is quite useful as it allows you to resume using your card BEFORE the physical replacement arrives.

Unfortunately, it assumes that a card - once installed in an Apple Wallet - is valid and under the control of the card owner or an authorized user.

We’re seeing that this is possibly not necessary true; apparently fraudsters have found ways to successfully negotiate some issuer’s verification processes.

Once issuers start feeling the pain from “eating” the costs of more fraudulent charges, I’d suspect that increasingly sophisticated “validation” - less phishable - methods might be implemented.

Of couse, w/ CCard interest rates - and issuer profits - being what they are … issuers can “eat” a lot of fraudulent use before it becomes sufficiently painful to decisively act. 🤔

Apple would have more than likely stopped the card from being added. Fraudsters get around this by using the mobile app or website for the bank that issued the card. By going through the app, the bank allows Two Factor Authentication (2FA) to be bypassed. The mobile apps allow fraudsters to just answer one or two security questions and no 2FA that requires your approval. Banks referring to this lowering customer friction, mean frustration and anger when they have issues adding it themselves to Apple Wallet app.

The bank that issues the card has to approve adding the card to Apple Wallet. Apple doesn’t approve or deny adding the card except in a few cases, such as wrong card information, newly created Apple ID and few other cases. Apple provides information about the device, and the persons Apple ID Account, etc. Fraudsters bypass Apple Pay security by downloading and using the banks mobile app or website.

Yuubancin wrote:

Someone added my debit card to his iOS device without my permission

That usually means the card has been compromised, if this payment is not associated with any of your Apple IDs.

You will get nowhere with a fraud report made here too, and nowhere with reports made directly to Apple.

You will get somewhere with your financial provider, which is the path you will want to follow here.

You will want to make that report to your provider soonest too, lest you be held responsible for the charges.

Card fraud happens, and while this might be your first experience with this, it probably won’t be your last.

That’s going to depend on the bank. Some send notifications and some may not. The banks I deal with have always emailed me at the email address they have on file. In order for Apple to insure the privacy, the information they receive and retain is anonymous and Apple cannot tie it to a specific account or user. Your bank however, approves and verifies account information and identity and then sends the token to Apple servers, who then sends it to your device.

Link was missing from copy & paste. Sorry.

Legal - Apple Pay & Privacy - Apple

Re: “… This means someone scanned my card and added to their wallet …

Unfortunately, legacy cards can still be compromised via tried-and true “old-fashioned” methods.

Anytime you give-up physical control of a legacy card “out in the wild”, it’s an opportunity for compromise.

As far as to how they were placed in the fraudster’s wallet; that means that they HAD to negotiate your card issuer’s verification safeguards.

Leaving a few possibilities. Some examples:

• The methods your issuer used to verify you were compromised. (e.g. your email, phone numbers, or other methods)

• The issuer used insufficiently confidential means to verify you. (e.g. the means were based on too-general info reasonably known to — or obtainable by — others)

• The issuer’s verification system was not working (e.g. “in maintenance / test mode”) and passed-thru the wallet installation w/o applying the appropriate safeguards)

• It was an “inside” job.

Regardless, I’d encourage you to query your issuer to determine exactly WHAT verification methods were used for the fraudulent wallet installation.

I doubt if your issuer’s fraud department will reveal this info w/o some “prying” on your part. They might well refuse to reveal it altogether.

However, your issuer was apparently “convinced” that the fraudster WAS you. It seems a reasonable request for you - as the bank’s customer - to understand HOW this fraud was committed.

I’ll keep looking for answers elsewhere then. None to be found here. Thanks.

Those are indeed huge improvements.

Especially removal of the mag strip!

I always tell folks that best way to protect a legacy card on ApplePay is to NEVER pull the physical card out of your wallet.

Two Factor Authentication is required or you can’t even setup Apple Wallet for credit and debit cards. Your ChatGPT artificial intelligence source is wrong.

Turn off Face ID & Passcode for your iPhone or logout of your Apple ID and all cards will be removed, then turn off 2FA. Once off, you can’t even add cards until it’s enabled.