Someone added my credit card to their iPhone wallet, how do I prevent that?

Whenever I add a card to my Wallet app I am prompted to input the three digit CCV code. this means whoever did this had physical possession of your card. You seem to indicate you were at a restaurant across the street. Did you hand your card over a waiter for payment? If so there’s a real possibility that your card was comprised at that point. And using your card in an iPhone Wallet is no different than using the physical card to make a fraudulent purchase.

Bottom line, someone cannot add your credit card to their iPhone Wallet app unless they had all the information required. Adding a card is between the user and their bank/credit card company, not Apple. You could, for example, let your wife or other family member add your card to their Wallet apps. Apple has no way of knowing if the card belongs in the Wallet.

Of course you need to cancel your card and get a new one issued. You should call your credit card company and dispute the charge of course.

Excellent post by Ikrupp, but just adding additional information, if your use your physical card and swipe it, your card information may be compromised by a practice called >skimming< and if you use the chip in the card, it’s subject to >shimming< and again, all the data may be compromised and used for fraudulent activity.

The safest method to prevent this is using Apple Pay and Tap-to-Pay where it’s available. I understand that restaurants don’t always support either of those payment methods, and as an alternative use a credit card like Apple Card MasterCard which does not have your card number, expiration date or CVV/CVC printed on the the card.

This is an interesting thread.

I too find it difficult to believe that your card could be added to another wallet given the built-in cross-checks involved in that process.

My own “suspicion” is that the fraudulent transaction across the street was actually a CNP (card not present) transaction - where the digits are manually typed-in - or else a cloned mag-strip “swipe” transaction.

And that that the “human” in the fraud department simply saw that you were enrolled in Apple Pay and imprecisely mis-spoke. (or else his display software simply couldn’t provide the granularity to accurately distinguish between transaction types)

I’d call them back and re-confirm how they distinguish between CNP, EMV (Chip), Tap-to-Pay (card based), Mag-Strip “Swipe” and ApplePay transactions.

Of these options, CNP and “Swipe” are the most vulnerable to fraud.

Adding to Jeff’s excellent reply and getting back to your initial question:

”Someone added my credit card to their iPhone wallet, how do I prevent that?”

It might appear that the most effective way is by adding it to YOUR wallet.

That combined with NEVER allowing a physical card - with all of your account details fully exposed AND containing an easily copied mag-strip - out of your sight.

When you use a credit card physically, the information can be skimmed off the magnetic strip or shimmed from the chip. These are the two most common methods of compromising your data.

Apple Pay uses only encrypted data. Only your bank has the key to decrypt the numbers/data associated with the transactions. The merchant and your iPhone have only encrypted data and no key.

Happy to answer more questions if you’d like.

One of the safe guards of Apple Pay is the requirement of using Two Factor Authentication (2FA). This is the multi-digit code Apple sends to confirm it is you. If the owner/user is tricked into revealing a 2FA code several fraudulent activities could happen, including your Apple ID being compromised. If your Apple ID were compromised, cards can be added to your account and used for Apple Pay transactions. That requires a lot of coincidences.

rjgray60 wrote:

Thank you for the reply…the odd thing is this happened to two different cards…implying both cards were used and then skimmed at the same…I reviewed all my statements and found I’ve never used these 2 cards at the same time or place…and both fraudulent charges were for the same thing (Uber Eats and Lyft)…and both credit card companies stated it was Apple Pay…I agree with Apple this makes no sense / is not possible, but the whole situation is baffling.

Uber Eats and Lyft could have had their systems compromised. If it was a small intrusion, it may not yet have been noticed or, if it has, not yet announced to the public.

The questions originally asked in this post by McCallSL in May 2023 are very relevant:

“How did someone add my card to their Apple Wallet?”

"If I had already put the card in my own Apple Wallet, would its add to a different device have set off more bells?"

Despite all the answers provided, the questions remain and I share my experience here in the hope of rekindling the debate so that someone informed can shed more light on the subject. Here are the facts:

For each transaction made with my credit card, the card issuer sends me a text message informing me of the transaction amount and the merchant where the purchase was made. However, the day before yesterday, a similar text message informed me of a transaction that is unknown to me. I therefore concluded that it was fraud and contacted the appropriate services at Visa.

I was then informed that the transaction had been carried out by Apple Pay. As a security measure, my card was immediately blocked.

Subsequently I noticed that a few hours earlier, I had received an email from Visa, informing me that my card had been added to my Apple wallet! However, my card having already been added to this wallet for a long time, this email which I had unfortunately not seen before should have alarmed me, which tends to confirm that the fact of adding a card to your mobile wallet actually allows you to be notified before the fraud, which unfortunately I did not notice quickly enough in my case.

But it remains very unclear to me the fact that my card could have been added again to MY wallet by a FRAUDSTER! How is it possible ? Suppose that this fraudster has all the information on my card: number, expiration date and CVC, it still remains that there must be a verification code to be received from the card issuer to confirm its addition in the wallet, or some other double check, right?

I don't remember exactly the procedure Visa used when adding, just the fact that it was simpler with Visa than with my other cards.

The question therefore remains: how can a fraudster add MY card to MY wallet and use it? There, I'm lost...

I am not able to add any helpful information, but I experienced everything exactly as you did, but I have always had a passcode and fingerprint lock on my iPad. So it did not protect me at all from exactly what you experienced. I’m hoping to find more answers. I now have set text notification alerts that inform me of everything happening on every single mode of payment: Amazon, Apple Pay, 2 credit cards, bank, debit card, PayPal. But someone used my credit card number via Apple Pay on their phone to charge over $7,000 before I found out. They had quite the fun spree.

I would guess that somehow the encrypted info was hacked online. With my own recent fraud issues, I believe my card was skimmed and then added to the thief’s Apple Pay. But if you had 2 cards compromised in that way, I believe your card info was stolen online somehow. As consumers, we are assured this cannot happen, but I don’t see any other way it could be happening.

Teens took pictures of four of my credit cards at the gym. ( broke into my locker) put them in Their apple pay. Took cabs, bought 1000 dollars worth of stuff apple tealky needs to protect this better. Only name of apple account should tske their name only cards.

This just happened to me at the gym. 5 cards, scanned used 3000 worth of charges on four different cards through the crooks apple wallet. Shouldn't allow other peoples cards to be entered in their wallets. And if they do they should be able to arrest these pukes! It should be very easy. And apple needs to stop this from happening.

Banks certainly investigate and aid law enforcement in their efforts to apprehend those involved.

Banks want to make it as easy as possible for their cardholders to add their credit and debit cards to electronic wallets. Unfortunately, in the rush to lower customer friction, they bypass security features that Apple has in place by directly using bank websites and mobile apps. Very few banks require 2FA to login to accounts using their website or mobile app. For example on American Express allows me to add 2FA to the their mobile app on my iPhone. Most don’t show you the devices and electronic wallets that your card has been entered into.

One of the mods must have wiped it out. It was a really long post and all bullet points. His solution was 2FA. He said Apple needed to require it and I pointed out Apple did require it to setup Wallet App and Apple Pay.

Jeff Donald wrote:

One of the mods must have wiped it out. It was a really long post and all bullet points. His solution was 2FA. He said Apple needed to require it and I pointed out Apple did require it to setup Wallet App and Apple Pay.

Just me being sarcastic.... ;-)