Can Apple Pay get hacked?

Contact the bank that issued the credit or debit card used for the fraudulent transaction. Apple Pay does not approve or decline charges. Apple Pay only securely transmits the data associated with your card. Your credit card issuer approved the charge and you need to dispute the charge. Please use the phone number on the back of the card and talk to their fraud support team.

Apple Pay has never been hacked by accounts being sold as Littyma suggests. The use of one time use tokens instead of actual card data and the verification process that Apple and your banks use makes hacking nearly impossible.

If you lost your iPhone and the thief had your passcode, they could use your iphone to make unauthorized purchases via Apple Pay, but that is hardly hacking.

If the iPhone owner was tricked into revealing their 2FA code to a thief that would work, but that’s not hacking either.

So, hacking is virtually out of the question. The the actual card details can be stolen by hackers, but that wouldn’t involve Apple Pay. Neither Apple or you phone store the card data in unencrypted form. Apple Pay only has encrypted data which is useless to hackers. You and the bank have card details. The merchant also has the details if you don’t use Apple Pay.

Merchants/point of transaction, account owners and credit card companies banks are who is being hacked. Not Apple Pay or similar services.

Chase Bank misinformed you. Apple Pay does not get hacked. If you want to read through several of my posts above, you’ll learn about several ways the account holders use their cards and compromise the card’s account information. The most likely scenario was you were at a merchants and you swiped your card or inserted it into the transaction terminal and the data was stolen.

Apple Pay only stores encrypted data. Only Chase Bank has the key to decrypt the card information. So, even if Apple Pay were to be hacked, the hackers couldn’t use the data they stole.

You can contact Chase Bank 24/7 365 days a year by calling the phone number on the back of your credit card(s).

Apple Pay is a payment system that acts as an intermediary between your payment method (credit/debit card), merchant and your bank. Apple prevents the merchant and hackers from accessing your payment information and your personal information. It keeps you more secure, not less.

Apple Pay only has encrypted data. Hackers have no way of decrypting the data, they don’t have the key. You don’t have the key, your iPhone doesn’t have the key, merchant doesn’t have the key, Apple doesn’t have the key. The only entity that has the key is your bank.

The most likely way the fraudulent actors gained access was through skimming, shimming, your Apple ID Account or scamming you out of your Two Factor Authentication (2FA) security code. Yes, account owners are the weakest link in the chain, you, me and everyone else that too easily discloses account information. It’s called social engineering.

Here’s a good explanation of how hackers use social engineering to trick people. The article is by IBM.

https://www.ibm.com/topics/social-engineering

Your bank information was obtained and probably sold on the Dark Web. It probably been sold to 100’s, possibly 1000’s of fraudulent actors. Now that Chase is aware that your data is compromised, they’ll be able to stop future charges. But it’s now in your best interest for you to learn about how hackers work and take action to prevent it from happening in the future. Please read the information in my posts above and the links I’ve provided.

As seen in this scam, the name of the charge can be anything the scammer has chosen. Most common cause for the payment method to be compromised is by using the physical card on a device that has a skimmer installed. These are commonly found in gas stations as there is little activity overnight for them to be installed. When the scammer uses the card numbers captured it will appear in your Wallet as with any other charge, but does not mean it was done by Apple Pay or that Apple Pay was hacked. The bank is capable of investigating to determine the method of the charge (whether it was from the phone, swiped, or manually entered numbers), and also the verification used (Face ID, Touch ID, Passcode, Signature, or PIN), but will usually just refund the charges and issue you a new card as that needs done anyway and will prevent future charges.

https://toughnickel.com/scams-fraud/Apple-iTunes-866-712-7753-Scam

Nothing has been provided to show the Apple Pay has been hacked and a software update is not going to prevent SMS phishing scams. As long as a scammer has your phone number, they can send you a SMS message no matter what version of software you are using.

I’m sure your card was already in Apple Pay, probably with a different card number. Either that, or you share an Apple ID with someone, either intentionally or unintentionally. If you don’t knowingly share an Apple ID with anyone change your Apple ID password immediately→Change your Apple ID password - Apple Support and in addition see this→If you think your Apple ID has been compromised - Apple Support

Apple can’t add a card (debit or credit) to you Apple Wallet app for use with Apple Pay.

Your bank or payment network (Mastercard, Visa, American Express) can push a replacement card to your Wallet app. M

It’s also possible that fraudsters have compromised your credit card account (bank that issued the card) and added the card.

Have you asked the bank who added the card?

It’s possible that the card data was skimmed/shimmed and then added to an iPhone. Banks have to approve any card added to Apple Wallet for use with Apple Pay. An iPhone could have then been used for a contactless transaction at a merchant.

Apple only has encrypted data about the transaction and only the bank and possibly the payment network (Visa, MasterCard etc) have the key to decrypt the information. The issuing bank has to approve all transactions, so if the charge is fraudulent it falls on the bank to make you whole again.

The long and the short of it is when your card was added to your iPhone the information was encrypted and the plain information was deleted.

The information was encrypted in the Secure Element, it’s not linked to the main processor or memory. Essentially a self contained computer within a computer. It’s a standard in the banking industry. It’s never been hacked.

The key to decrypt your data rests solely with one entity, your bank. So, go with your idea that your information is compromised, how did the scammers decrypt the information?

I can go on to describe tokenization so that when the bank issues a token it’s good for only one use and all the numbers dynamically change for the next transaction.

Or, is it more likely your credit information on your chip or magnetic strip was skimmed or shimmed, sold on the dark web and dozens, maybe even hundreds of scammers purchased the information, made counterfeit cards, with chips and are using them fraudulently.

Fraudsters can use the numbers, add them to Apple Pay and make fraudulent charges. Apple doesn’t approve or decline adding cards to Apple Pay. Approving cards for Apple Pay is the responsibility of the issuing bank and the Payment Network Operator (Visa, MasterCard, American Express etc.).

If you’re absolutely sure you never swiped or inserted the chip and only used Apple Pay, then the more likely compromise was your bank. Banks and credit card companies have had data breaches multiple times.

You don’t need to give authorization if the fraudsters use the banks mobile app or website to add the card to Apple Wallet.

Cards don’t need to be lost or stolen for the information to be compromised. Anytime you swipe the card or insert the chip, fraudsters can obtain the information using skimmers and shimmers.

A shimmer is almost impossible to detect and is inserted into the chip reader. Some shimmers even send your compromised information via WiFi to the fraudsters.

The credit card information can also be compromised when merchants you shop at are hacked. Even large banks and credit reporting agencies have been hacked exposing personal and financial information about millions of people.

Once the information is obtained it’s frequently sold on the Dark Web. From there it can be added to Apple and Android devices, duplicate cards can be made and sold etc.

I’m willing to explain more, provide links to videos from news organizations, US Secret Service and FBI explaining how the fraudsters obtain you information, sell it how it’s used.

Once the fraudsters have the information they frequently use the banks mobile app or website to add the card to their device (iPhone, Android). By using the bank app it bypasses much of the Apple security features that are required when the card is directly entered on the Apple Wallet app. The mobile app allows them to bypass the additional verification that Apple and your bank require when a card is directly entered into the Wallet app.

Correct, human error is the limiting factor. There are numerous posts across these forums and social media platforms such as Facebook and Reddit, of people being tricked into giving out their Two Factor Authentication (2FA). However, human error is not hacking.

If you feel your Apple ID is compromised check the devices registered to your account and remove any you can’t identify as yours.

View and remove your devices that are associated with Apple ID purchases - Apple Support

the latest 17.5 update looks it plugged some serious vulnerabilities.

long story short, i received a ton of phishing SMS days before 17.5 came out, knew something was fishy and apple will respond. didn't click on any of the links and reported these SMS and sent to junk. probably the prized zero click variety because today i got 4 transactions from apple.com/bill that i did not authorize, 2 were approved 2 were declined. talked to the bank fraud team and canceled the card. they said more transaction kept coming through after the block. this happened to me last year somewhere around summer, same scenario different ios version with major security fixes.

so yes, apple pay can get hacked and if you have a good fraud team in the bank they should get you covered with disputes, cancelations, etc

Apple Pay cannot be hacked. Apple Pay is a way to use a credit or debit card for contactless payment. What CAN be hacked is the credit or debit card itself.

And apple.com/bill has absolutely nothing to do with Apple Pay. Apple.com/bill emails are ONLY for charges from Apple for iTunes and app store purchases, and refers to the card you have active in Settings/[your name]/Media and Purchases. You can choose a card you also use with Apple Pay, but even if you do it does not actually use Apple Pay.

What might have happened is your card was compromised (but not because it is registered in Apple Pay) and used fraudulently for a purchase somewhere (NOT from Apple). And you also got 2 routine subscription charges from Apple. If you happen to use the same card in both iTunes/App Store and Apple Pay the fraudulent charges would have locked your card, and the charges from Apple would have been declined.

And it’s also possible that the apple.com/bill were actually fraudulent and not from Apple→Avoid phishing emails, fake ‘virus‘ alerts, phony support calls, and other scams

Any chance it was an overseas “hardware store”???Same happened to us. The credit card we had on Apply Pay got compromised and cancelled (the hardware store). So Chase issued a new card and added it to my Apple Pay without me knowing (by associating my new card to my Digital Account Number/Token). Fraud charges on the NEW card before I ever used it! Chase says someone hacked my Digital Account.

First let’s learn how secure Apple Pay is. When you enter the card data, it’s instantly encrypted using secure methods. The unencrypted data is not transmitted or retained on the iPhone. The encrypted data makes trips to Apple, Payment Network (Visa, Mastercard, American Express, Discover) and your bank. The bank uses its key to decrypt the data and approve or deny adding the card to your wallet app. If the bank approves the card, it’s provisioned and an Apple Pay number is assigned in the form of a token. This is called the DPAN (Dynamic Primary Account Number). The bank then transmits the DPAN back to the iPhone and stores it in the Secure Element (SE). The secure element is entirely separate from the main processor and unit memory. This makes it basically hacker proof. The SE is industry standard and has never been hacked.

When a transaction occurs at a merchant data about the transaction is sent to the SE and the DPAN is used to create a secure token that can only be used one time. The token then goes through the merchant’s network to the Payment network and the your bank which uses its key to decrypt the unique token and approve or decline the transaction. Token is then returned and sale completed. Transaction is recorded by networks, merchant and iPhone.

The method above has never been hacked. No proof of concept, nothing.

So, please explain the world’s first hacking?

How do credit and debit cards get hacked?

The two most common ways are by skimming data off the magnetic stripe or shimming the data off the chip on the card. These are both common practices used by hackers at merchants and ATM machines. Tiny cameras are also used to capture PINs at ATM machines.

Typically the data is then sold days, weeks, months later on the Dark Web. Bad actors then either create fake cards by buying blanks and running them through a machine/computer that adds the magnetic data and/or programs the chip. These cards are then used or sold to bad actors.

Apple Pay can be hacked by social engineering techniques to gather personal data by which the bank is tricked into adding the card to an iPhone Apple Wallet. Sometimes the card holder is tricked with social engineering techniques into approving adding a device to their Apple ID. But hackers don’t necessarily need to do that. A credit card can be added up to 10 Apple Pay devices. They do not have to have the same Apple ID.

Your data could have been compromised 6 months ago or longer. It finally sold and was used either physically or added to an Apple Pay device.

Everyone thinks the original compromise happens and a day or two later the fraudulent transactions start. In most cases weeks or months may pass.

Another possibility is a compromised merchant and a Brute Force BIN attack is used. But that’s for another day. I’m going to enjoy my coffee this morning. 😀

https://en.wikipedia.org/wiki/Tokenization_(data_security)

https://en.wikipedia.org/wiki/Payment_card_number

https://en.wikipedia.org/wiki/Credit_card_fraud

YouTube Skimming video

YouTube Shimming video