Apple Pay fraud

The text messages were not from Apple or Apple Pay.

Apple Pay will never send you a text message for any reason.

You are being scammed. Ignore the text messages and block the number it is not a real charge and they are trying to get you to pay them.

Apple Pay requires your interaction and approval to even being to work. There is no possible wya for it to happen without your knowledge.

click here ➜ Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support

Apple Pay can’t approve or decline a charge. Apple doesn’t not send Texts when a transaction is attempted via Apple Pay.

Who are the texts from?

If you don’t use Apple Pay then it’s an attempt to get credit information from you. Do not call any numbers associated with the texts or reply to any of the texts. Just delete the texts. If you know how, block the number from texting you anymore.

No, Apple Pay does not handle any funds/monies. Apple Pay does not approve or decline any transaction. Apple Pay cannot refund charges. Only your bank can do those functions.

Apple Pay is a more secure way of transmitting your account data between your bank and the merchant. Apple Pay did not commit fraud or swindle you.

If these are texts from your bank, then the issue is with your bank directly.

If your card was stolen and you reported it stolen to your bank, then they should have blocked it and no other charges should have gone through.

You cannot cancel charges made through someone else's Apple Pay even if they did use your card. You cannot control someone else's Apple account like that.

Yes, they can take a card and add it to their own Apple ID and make purchases, but it should only be possible if you did not report the card stolen.

If you reported the card stolen to your bank, it would not be possible to add it to Apple Pay at all as it would not verify once it was blocked by your bank.

Right now, the issue is solely on the side of your bank. They should to be allowing these charges to continue if you have reported the card as stolen.

You freely admit you don’t know how Apple Pay works, yet they’re at fault because you say so. Let’s learn a little about how Apple and American Express worked together to stop a fraudulent actor from adding a credit/debit card to their Wallet.

One card information is entered into the Wallet and encrypted. Apple does not store that information on their servers. The data is not attached to you in regard to Apple being able to tie card information to a specific user. The data is sent to your bank for verification. The bank contacts you directly on the iPhone and tells you one of three ways to make contact, text, email or telephone. You verify your account with the bank and the card is entered into the Wallet app.

The questions you need to be asking is why did American Express allow the fraudulent actor to add the card? Maybe you approved the fraudulent actor adding the card? You would have received a request from Apple requesting you to authorize the fraudulent actors iPhone to your account? Did you give out your Two Factor Authentication code?

The information you think Apple needs to share such as IMEI will be given to authorized authorities, such as the police you filed your report with. You did file a police report, didn’t you? Apple also works directly with the banks. But Apple has no way to track because card information isn’t directly linked to you.

So, now knowing the above, what exactly do you want Apple to do?

hwasun112 wrote:

I was recently swindled by Apple Pay. I don't use Apple Pay. After receiving a text message saying that it was registered with Apple Pay, I received 20 payment texts for the same amount. I immediately applied for a card suspension at the bank. And I asked for the cancellation of the approval.However, the bank said it could not cancel the approval. I don't understand this situation right now Can Apple Pay cancel the approval?

That was a SMS fraud scam targeting you. Block the number, and move on.

Whenever you are presented with unrecognized payment messages or claims via Messages, SMS, email, telephone, or otherwise, verify the transaction directly with the entity involved; with your bank, with Apple subscriptions and billing info, or whatever the claimed organization. And use your own self-acquired, trusted, contact info for the verification, not contact info from the received message you are verifying.

Bad news here, too: sending telephone numbers, and sending email addresses, can be faked.

Apple Pay can and does send purchase notifications within its payment system. You’ll get the amount and the recipient. These are system notifications, and not SMS text messages. You can then verify the transactions occurred within Wallet app on iPhone, or within the Wallet settings on iPad. And if you’re nor using Apple Pay, you should find no matching transactions.

Lev945 wrote:

I'm in a similar situation - somebody have stolen my credit card number and tried to add it to his/her ApplePay account. Luckily since it's AMEX card the thief was missing the CVC number, the addition of the card failed. Thus it was caught by my credit card company, and I had to cancel the credit card and issue a new one.

However there was ZERO cooperation on the Apple's side - they refused to provide any details regarding the person that have stolen my credit card details and tried to add it into their ApplePay account, and even though they surely could get all the information that could help locate the thief - i.e. it's AppleID, IP address, location, cell phone number etc. they claimed that they can't locate it.

Looks like ApplePay is fraudsters best friend. They even had the nerve to claim that it's all my fault that somebody have stolen my credit card number. If Apple indeed don't keep full logs of the addition of the cards to user's accounts, it surely endorses these illegal activities, as it allows it to happen in an anonymous way, and then to hide behind the ApplePay service.

I'm quite disappointed from Apple to say the least...

There seems some fundamental confusion around how and who handles fraud. This is not Apple’s issue to resolve. Or any other vendor. The vendors verify the card (or not) with the financial provider. Once the cardholder reports the fraud to the financial provider, it is the provider’s issue, and they will then block purchases. There is no means for a cardholder to block individual purposes, nor to notify those vendors that have encountered or honored the (reportedly fraudulent) use of the card number. The cardholder reports the issue to the financial provider, and they deal with this. The cardholder reporting the fraud to every vendor just doesn’t work, and such would also undoubtedly be misused. If the financial provider is not dealing with this reported fraud, find a different provider.

The problem is not with the credit card provider, the problem is with Apple.

First of all Apple should gather and then provide the credit card company with a lot more information than it currently does. There is no reason why Apple should hide from the credit card or the bank the details of the person that tries to add a debit or credit card to the ApplePay. They should provide full details at the card addition attempt, including but not limited to: AppleID, IP address, IMEI, cellphone number, IP address, GPS location etc.

All this information must be gathered by the ApplePay application, and then be forwarded to the credit card company or banking institution, so that it will be both easier to detect fraud and to track the thief.

Right now, from what I have been told by the credit card company, Apple sends to it, besides the card information just... iPhone model. That is not enough.

And attempt to shovel all the responsibility for fraud detection and countermeasures to credit card companies is just pathetic, considering how little Apple does on it's side. When somebody attempts to use a stolen credit card number through any payment gateway, then at very least you get an IP address, and in many cases you get additional protections like VbV/3DS.

Here we're talking about addition of the credit card into a digital wallet that then allows almost no control over the spending, until the credit limit is exceeded. Somebody may then simply go into the store and use his phone to pay using the stolen credit card - and unlike a physical card there is no way to check for the seller to check the name on the card and compare with the buyers ID. It means that the step of adding the credit/debit card must be ultra secure and ultra audited. And it's clearly NOT. And a simple search of the Internet shows that it's not only my personal opinion, and ApplePay is indeed frequently used to exploit stolen credit card numbers.

It matters a lot, I just explained how. Having all that extra information could help credit card company to decide about the risk levels of allowing the card to be added, as well as easier tracking of the criminals.

Most credit cards are non-transferable, thus only the person the card was issued to is allowed to use it.

All the information you need to add the card can be easily stolen, as normally all you need is the information you give during any phone based transaction. The credit card company then MAY decide to apply some extra checks.

However, even if it's applied, currently adding the stolen card to the ApplePay is risk free activity for the criminals, as Apple doesn't provide any information that could help locate these criminals to the credit card companies during the request to the credit card company. So criminals use this venue, as in the worst scenario they just fail to add the card.

And in the best case for the criminals they're able to add the card and start shopping even at physical locations, without a fear of being accidentally caught by cashiers, as unlike the physical credit/debit cards which emboss holders name on it, and thus can be cross checked with the buyer's ID, paying with ApplePay caries no such risk for the criminal. He/she just walks into the store, pays with the phone and takes the goods just paid with the money stolen from the added card.

Because of that a lot more information should be collected and sent over the credit card company at this step.

https://www.vice.com/en/article/n7ngxm/apple-pay-fraud-spending-sprees-2fa-bots

Lev945 wrote:

It actually very different, and I just explained how. I also explained how sending this extra information will help.

That design conflates efforts toward fraud detection and prevention with facilitating criminal investigations. The former is of interest to the financial providers. The latter is potentially a matter for civil or criminal investigations and fot the legal system. The trade-offs appear to erode privacy and security, while fundamentally not improving upon the existing fraud preventions. Financial providers already use locality and habits as part of fraud detection, as well; use of ML is not at all unusual here.

Per “Most credit cards are non-transferable”, see the Apple Card agreement section entitled “Sharing the Account”. In common practice, financial providers don’t care about that, so long as the resulting bill is paid. And most providers have blocked requirements to show added identification with purchases, as well as chip and PIN transactions, as the financial providers do not want to increase the bat]rrier for use, as they perceive that as causing card users to migrate to other payment cards.

Card numbers or card got stolen? Change the virtual number, disable the card, etc., and contact the financial provider and report the loss or theft or fraud.

I’d suggest researching card fraud detection and fraud-relted policies if this area is of interest, as the present payment system including the present fraud detection system (and ML) works as those providers want it to work, and yes, that unfortunately including some inevitable fraud.

Could all this be made more secure? To a degree, yes, though that reduction potentially at a cost of reduced care usage, and of customers and vendors migrating to other cards with less stringent or less intrusive fraud detection, or migrating to cash, and with the resulting losses of direct profits and indirect profits from purchasing-related data.

Jeff Donald wrote:

>>So I spoke with the credit card security and Apple's customer service, which specifically claimed that they don't have any of the information, and I have no reason to go to the police as they won't release any information to any authority claiming that they basically don't have any as they don't collect it. Are you suggesting that Apple customer service is lying?<<

Im not suggesting anything. I don’t know who said what. But the fact is the bank has the information to identify the device.

They may have this information about your device, but not from ApplePay. If you install an application of your credit card company or a bank then they probably do have the details of the phone. They also have you cell phone number and a lot of other information.

But if ApplePay doesn't send the phone identifying information as part of the process to add a card, then there is no way for the card issuer to check and compare that information. Nor to easily locate the criminal.

Here is some of the information that is shared as quoted from the support article linked below.

>>Information that you provide about your card, whether certain device settings are enabled, and device use patterns—such as the percent of time the device is in motion and the approximate number of calls you make per week—may be sent to Apple to determine your eligibility to enable Apple Pay. Information may also be provided by Apple to your card issuer, payment network, or any providers authorized by your card issuer to enable Apple Pay, to determine the eligibility of your card, to set up your card with Apple Pay, and to prevent fraud.<<

Apple Pay security and privacy overview - Apple Support

Apple doesn’t disclose all the information that is provided to the bank, so fraudulent users are prevented from learning the key details shared to the bank.

Usage patterns are much different from phone identifying information such as IMEI, phone number, AppleID etc.

Security department of my credit card company told me that Apple only provided them basic information about the phone, like it's model. That's not something that could be used to easily locate the criminal.

hwasun112 wrote:

I don't use Apple Pay. Someone stole my credit card. As soon as I received the payment text, I asked the credit card company to cancel the approval. However, the credit card company said it was difficult to cancel the approval because the payment was made through Apple Pay. Do you understand this situation now?

A stolen card should be immediately reported to the financial provider. Let the provider sort this. Apple Pay is irrelevant.

You can't report card being stolen until somebody tries to illegally use it, as before that you have no idea that somebody indeed have stolen your credit card details.

That is since the thief doesn't need to steal a physical card to be able to add to ApplePay, just general credit card information i.e. number, expiration etc. - information you provide for Internet and over the phone purchases.

Apple should increase the security of the ApplePay, and provide more information at least to card issuers, so that the person that adds card to the service won't remain anonymous, as there is no any valid reason for that.

I have quite some actual experience in IT and e-commerce as well, however I don't think that even the level of my experience is required for that matter.

The issue at hand is quite simple - ApplePay should gather and provide a lot more information, and then provide all that information to the credit card provider. It will then allow the credit card provider to both make more intelligent decisions as to the risk levels, as well as make it harder for the fraud to take place, and at the same time will make the investigations easier.

Yes, I don't know the exact details of how ApplePay works. But does it required at all to know what needs to be done? I don't think so, especially as the things that I'm talking about are really simple.

It's quite simple for ApplePay application to gather all the information I already mentioned, and it's quite easy modify the protocol so that all this extra information is provided to a credit card vendor. And while it could be possible to spoof some of that information, that will already require a lot more knowledge than an average lamer thief has, that just gets the stolen credit card info and types it into the ApplePay application.

Now lets consider what credit card company could do with that information vs. what it gets now (just card info plus phone model). Credit card company or the bank knows the cell phone number of the client, so an attempt to add the card using a phone with a different cell phone number could automatically block and require some manual steps, thus calling the credit card company. It may do the same based on the SIM related information, and IMEI of the phone itself. And it's just a tip of the iceberg of what could have been done, if Apple would implement this mechanism.

Should I speak about other more obvious and less obvious things? Like more easier investigations of the fraud if you have all the information? But just by adding these simple additions will make adding stolen credit/debit cards a lot more complicated, thus enhancing the security for everybody a great deal.

I also would expect Apple to be generally more approachable and helpful in the cases of the fraud, not just say that there is nothing that they can do, and that they hold no logs or audits of the attempted additions of the cards. I spoke with Apple's customer service and the general message was that it's my fault that somebody have stolen my credit card. The representative went as far as to tell me that she "never gives her credit card details over the phone". I understand that she never purchases anything over the phone nor pays her bills over the phone, but she seemed to be a bit confused by my argument that somebody can potentially steal the credit card details even from the server, so giving up on all phone call based services is not a solution either.

There is also a lot that Apple could do to track this fraudulent activity on their side and help catch the thiefs. After all there it's possible to perform correlation between the phone itself (by IMEI), AppleID, and ApplePay. It's possible to check if some phones i.e. have an abnormal number of cards being added and then removed/blocked. Then Apple could block such phones from using ApplePay, as Apple sits at the center of the information, not credit card company that only knows about it's own cards. I.e. credit card company could have made a lot more intelligent decisions if Apple would provide a lot more information, and that would help greatly, however only Apple sees that the same phone is used to unsuccessfully add cards from different credit cards providers.

Let me explain it all over again:

The criminal that had the stolen card details (not the physical card itself, but only the details from the card) had attempted to add it to his/her/its ApplePay account but failed since it's AMEX and he/she/it was missing the CVC number from the card. Luckily my credit card provider is a lot more proactive on that and sent me a notification about this failed attempt.

As I knew that I was not trying to add the card to my ApplePay it was obvious that it's somebody that have stolen the card details. Thus I contacted the security department of the credit card company and they told me that since it's ApplePay they have no identifying details about that attempt besides the phone model. And the only way to go forward from here is basically to cancel the card and issue a new one.

Unlike what you may think Apple does not cooperate with the banks or credit card providers. And when I contacted Apple's customer service I was told that again - Apple doesn't cooperate with credit card companies, banks or the authorities and claims that it doesn't have any information about the person i.e. AppleID/phone ID/IMEI/cell phone number etc. etc. and thus can't provide it to law enforcement. Basically I was told by Apple that filing a police report about an attempted fraud is useless. I was told by a police officer that filling a report in this case will be a waste of my time, and if Apple refuses to cooperate it's indeed the case.

The criminal hasn't made or even attempted to make any purchases online using the stolen card details, probably because ordering any physical good would require him giving an address to send the stolen goods, thus making it a lot more dangerous for him. My guess that he/she/it hoped to add it to his ApplePay account and then use his/her/its phone to simply go into the store and use all the card's balance to buy i.e. some expensive electronics products. May be some new Apple devices at my expense :-) .

So to summarize - this Apple's behavior of not sharing the data with the credit card companies and the banks makes a life of criminals a lot easier, as it makes catching them a lot harder for both the credit card companies and the police. My damage at this stage? Just the time spent dealing with all this and the need to wait for a new credit card. Since no fraudulent charges were made online, I don't even have to deal with the charge-backs. But it makes me wonder what would happen if the criminals would have the CVV number...

I'm in a similar situation - somebody have stolen my credit card number

and tried to add it to his/her ApplePay account. Luckily since it's AMEX

card the thief was missing the CVC number, the addition of the card

failed. Thus it was caught by my credit card company, and I had to

cancel the credit card and issue a new one.

[Edited by Moderator]