Level 1

6 points

Someone added my credit card to their iPhone wallet, how do I prevent that?

Fraud detection alert informed me of a large purchase made a few hours after going through a drive thru, the only time my credit card has been used where it physically left my hand. The store with the fraudulent purchase was literally across the street from the restaurant. Credit card fraud staff were able to see it was used via Apple/iPhone wallet. This means someone scanned my card and added to their wallet in seconds. What can I do to prevent this from happening? I had not added the card to my Apple wallet, if I had would that have thrown a flag to Apple when added to a different iCloud/Apple account? What does Apple do to verify a card belongs with the wallet added?

Posted on May 25, 2023 12:26 PM

Best reply

McCallSL Author

Level 1

6 points

Posted on May 26, 2023 11:52 AM

I appreciate both responses, but neither address my actual question. I'm trying to learn if having my card already in my Apple Wallet would have triggered an alert somewhere between Apple and card issuer when it was added to someone else's Apple Wallet.

Backstory: I was informed of a fraudulent purchase by the card issuer, which I confirmed was not me, and spoke immediately with their fraud detection department. Having my card in my possession, this was a bit of a surprise. They looked and could see (somehow) the charge was conducted in person in store via Apple Wallet. This was another surprise - how did someone add my card to their Apple Wallet? Hence my question - if I had already put the card in my own Apple Wallet, would its add to a different device have set off more bells? I received no notification when the card was added, not by Apple and not by my card issuer. I have all cards in my possession. The fraud agent said a "scan" can occur "in seconds" adding to the Apple Wallet. Yet when I do it, I have to confirm and confirm again. Somewhere there's a hole in the system and I'm trying to figure out how to make sure it does not happen again.

I don't understand what the card issuer verifies with Apple when the card is added to the wallet - of all the data both corporations have at that moment, why isn't a simple name check conducted? I can't even sign into this community without Apple requiring a verification code sent to a device and entered on screen, why the heck isn't there a two-step authorization required when adding a card to your Apple Wallet, especially if they all know some sort of scan can happen 'in seconds' that can add your card to anyone's Apple Wallet without setting off the alarms?

And for the record, perhaps I'm on the right track about adding it to your own Apple Wallet first - when I got my new card's numbers I added it (manually, of course, the physical cards are still en route) to my Apple Wallet. I next added the card to my spouse's iPhone, and good god, I'm surprised you didn't see it on the news - my home phone rang, I had a text and an urgent email, all from my credit card issuer wanting to confirm the add was legit. Want to know how to stump a Fraud agent? Ask them why they didn't do that when someone not named me added it to their device the day before...

Thanks for the good but (in my case) unnecessary advice.

I'd still love someone who might know something under the covers to give us their take on how this happens and if having the card already in your Wallet helps to trigger alarms when someone not you adds to their wallet. I think everyone who, like me, has hesitated to add their cards to their wallets would appreciate knowing if it actually adds security.

View in context

Similar questions

27 replies

May 26, 2023 12:19 PM in response to McCallSL

This is an interesting thread.

I too find it difficult to believe that your card could be added to another wallet given the built-in cross-checks involved in that process.

My own “suspicion” is that the fraudulent transaction across the street was actually a CNP (card not present) transaction - where the digits are manually typed-in - or else a cloned mag-strip “swipe” transaction.

And that that the “human” in the fraud department simply saw that you were enrolled in Apple Pay and imprecisely mis-spoke. (or else his display software simply couldn’t provide the granularity to accurately distinguish between transaction types)

I’d call them back and re-confirm how they distinguish between CNP, EMV (Chip), Tap-to-Pay (card based), Mag-Strip “Swipe” and ApplePay transactions.

Of these options, CNP and “Swipe” are the most vulnerable to fraud.

May 26, 2023 1:33 PM in response to Jeff Donald

Adding to Jeff’s excellent reply and getting back to your initial question:

”Someone added my credit card to their iPhone wallet, how do I prevent that?”

It might appear that the most effective way is by adding it to YOUR wallet.

That combined with NEVER allowing a physical card - with all of your account details fully exposed AND containing an easily copied mag-strip - out of your sight.

rjgray60

Level 1

4 points

Jan 25, 2024 3:01 PM in response to McCallSL

I have two cards in my apple wallet in addition to the Apple credit card. I also physically carry them with me. We received notification on the same day by both card companies (Citi and Chase) they were flagged for suspicious purchases. Both cards had uber eats and a Lyft charge. Both charges were from south of Los Angeles and we live in Tennessee. Neither card had been used physically in the week before the charges. I had used one of the cards for an online purchase using the apple wallet the day before the fraudulent charges were attempted. Really curious. Cancelled both cards and changed passwords. Apple support said there is no way to add a stolen card to someone's wallet without my knowledge and that certainly makes sense...

Jeff Donald

Level 6

13,863 points

Jan 25, 2024 3:31 PM in response to rjgray60

When you use a credit card physically, the information can be skimmed off the magnetic strip or shimmed from the chip. These are the two most common methods of compromising your data.

Apple Pay uses only encrypted data. Only your bank has the key to decrypt the numbers/data associated with the transactions. The merchant and your iPhone have only encrypted data and no key.

Happy to answer more questions if you’d like.

rjgray60

Level 1

4 points

Jan 25, 2024 6:38 PM in response to Jeff Donald

Thank you for the reply…the odd thing is this happened to two different cards…implying both cards were used and then skimmed at the same…I reviewed all my statements and found I’ve never used these 2 cards at the same time or place…and both fraudulent charges were for the same thing (Uber Eats and Lyft)…and both credit card companies stated it was Apple Pay…I agree with Apple this makes no sense / is not possible, but the whole situation is baffling.

Jeff Donald

Level 6

13,863 points

Jan 26, 2024 4:01 AM in response to rjgray60

One of the safe guards of Apple Pay is the requirement of using Two Factor Authentication (2FA). This is the multi-digit code Apple sends to confirm it is you. If the owner/user is tricked into revealing a 2FA code several fraudulent activities could happen, including your Apple ID being compromised. If your Apple ID were compromised, cards can be added to your account and used for Apple Pay transactions. That requires a lot of coincidences.

Jan 26, 2024 6:45 AM in response to rjgray60

rjgray60 wrote:

Thank you for the reply…the odd thing is this happened to two different cards…implying both cards were used and then skimmed at the same…I reviewed all my statements and found I’ve never used these 2 cards at the same time or place…and both fraudulent charges were for the same thing (Uber Eats and Lyft)…and both credit card companies stated it was Apple Pay…I agree with Apple this makes no sense / is not possible, but the whole situation is baffling.

Uber Eats and Lyft could have had their systems compromised. If it was a small intrusion, it may not yet have been noticed or, if it has, not yet announced to the public.

Jan 29, 2024 8:50 PM in response to Chattanoogan

The questions originally asked in this post by McCallSL in May 2023 are very relevant:

“How did someone add my card to their Apple Wallet?”

"If I had already put the card in my own Apple Wallet, would its add to a different device have set off more bells?"

Despite all the answers provided, the questions remain and I share my experience here in the hope of rekindling the debate so that someone informed can shed more light on the subject. Here are the facts:

For each transaction made with my credit card, the card issuer sends me a text message informing me of the transaction amount and the merchant where the purchase was made. However, the day before yesterday, a similar text message informed me of a transaction that is unknown to me. I therefore concluded that it was fraud and contacted the appropriate services at Visa.

I was then informed that the transaction had been carried out by Apple Pay. As a security measure, my card was immediately blocked.

Subsequently I noticed that a few hours earlier, I had received an email from Visa, informing me that my card had been added to my Apple wallet! However, my card having already been added to this wallet for a long time, this email which I had unfortunately not seen before should have alarmed me, which tends to confirm that the fact of adding a card to your mobile wallet actually allows you to be notified before the fraud, which unfortunately I did not notice quickly enough in my case.

But it remains very unclear to me the fact that my card could have been added again to MY wallet by a FRAUDSTER! How is it possible ? Suppose that this fraudster has all the information on my card: number, expiration date and CVC, it still remains that there must be a verification code to be received from the card issuer to confirm its addition in the wallet, or some other double check, right?

I don't remember exactly the procedure Visa used when adding, just the fact that it was simpler with Visa than with my other cards.

The question therefore remains: how can a fraudster add MY card to MY wallet and use it? There, I'm lost...