Apple Pay has been hacked, what to do?

It is. Apple Pay cannot be hacked. It lives exclusively on your devices, so the only way to use it, is to get physical access to your iPhone, iPad or Mac.

If you explain why exactly you think it was hacked, someone may be able explain what happened and advise a course of action.

It sounds like your Apple ID is compromised. You should update your password if you haven’t done so already.

Ah, Ok. If you were inside the Wallet app, you’re safe. But there are phishing attempts that involve an email or text about a charge and a link to follow to report it. Those are all fraudulent and people frequently fall for those.

In the future when your funds are at risk, it’s best to call and report the fraud ASAP. I shared Green Dots and Apple phone numbers above. For credit or debit cards, the number is usually printed on the back of the physical card.

If you want to pursue this, you need to find out if the fraudulent transactions were card present or card not present transactions.

Yes, a mass attack is certainly a possibility. These attacks are know as a brute force BIN attacks. Fraudulent actors gain access to a smaller business with weak security. They know the first 6 digits of the credit card is the Bank Identification Number (BIN) and put through tens of thousands of numbers and collect the hits that work. Then they use the numbers in a website and collect the transactions.

Yes, your statement is correct and the raw (decrypted) data is encrypted and neither Apple or your iPhone has the raw data. The encrypted data is transmitted to the bank and they verify the data is good and authorize (verify) the card to be added to Apple Wallet. The bank and only the bank has the key to decrypt the data. Any raw data entered via device is deleted and only encrypted data is stored on device or Apple servers.

When a transaction is started, a one time use token (encrypted) is generated and used throughout the transaction process. All the merchants ends up with is an approval or a decline, transaction number and last four digits of the token/device number, that can be used as an identifier in case of refund or dispute. If Apple Pay is used, the merchant has very little information and none is really usable.

Sharing an MFA code is more likely or hacking an Apple ID/iCloud account. My Apple ID account password is over 35 characters. It’s easy to remember too.

This seems like what likely happened. I requested a new virtual card number and enabled automatic changing of my security code periodically. Whoever purchased my information has had declined transactions over the last 3 days to the same merchant so we'll see if this stops it. I doubt my apple id was compromised because I haven't received any MFA requests that I haven't initiated myself.

No, your Apple Pay was not hacked. Your credit card was compromised. It had nothing to do with Apple Pay, which is just one more way to use a credit or debit card, and actually a more secure way than using the actual card because it cannot be”skimmed” by a hacked card terminal.

You shouldn’t have to change your Apple ID password unless you got tricked into providing a 2FA code in an email or text.

Think about it for a minute: If the merchant doesn’t know a credit card number, how are they going to submit a bill to it? The number used in an Air Pay transaction is different from the number on the card, it’s chip or its mag stripe, but it still has to be a billable number.

So, Apple Card has 3 sets of numbers. One number is the mag stripe/chip, another number is the virtual number you can change in the Apple Wallet/Apple Card. The third number is the device number. That’s the encrypted number that only the bank has the key to. The other 2 numbers are the standard 16 digit number. But the length of the device number is unknown. The last 4 digits of the device number are disclosed in the Wallet app and this is to facilitate returns and refunds.

The first 6 digits for the 16 digit card number identifies the bank (BIN). The link below may help.

https://chargebacks911.com/bank-identification-numbers/

If I’m a fraudulent actor I target a single bank using the first 6 numbers. Then I attack a merchant account with a list of numbers behind the 6 digit BIN target. It’s random, but it works. The first transaction is usually small so as not to attract attention. Those account numbers that get a successful transaction are recorded and exploited at a later date.

Jeff Donald wrote:

If I’m a fraudulent actor I target a single bank using the first 6 numbers. Then I attack a merchant account with a list of numbers behind the 6 digit BIN target. It’s random, but it works. The first transaction is usually small so as not to attract attention. Those account numbers that get a successful transaction are recorded and exploited at a later date.

I recently got a potential fraud alert from my bank; a purchase for $18.05 was made using my card number (not an Card, but in Apple Pay) on Etsy; did I make that purchase? The alert said the card had been suspended pending my response. This specific charge was not mine, although I have used that card on Etsy in the past, and I use it online with other merchants routinely. So I have no idea how they identified it as fraudulent, but I was impressed. They have been slow to send a replacement card after canceling it, however.

One of the biggest loopholes is the transit card feature. The transit companies security is fairly low, in my opinion, and data is being captured when people use that feature. But the real problem was Visa and MasterCard. This security issue was mostly, if not completely plugged last year. But if devices aren’t updated etc., issues can continue. It also took Visa a while to acknowledge their issue and block the exploit on their side. You can search the internet for much the details.

Just like on the forums here, many things you’ll read on the internet refer to Apple Pay being hacked, when it reality it’s just simple fraud on their Apple Cash account. The account holder/owner sends money for the purchase of goods or services and disappears. But the post you’ll read is “My Apple Pay was Hacked!”

Another method of fraud is numbers sold on the dark web. These are usually attained by fraudulent actors using a skimmer (collects data off mag stripe) or a shimmer (collects data off the chip) when the physical card is used for transactions. The number is then sold on the Dark Web and can be added to an Apple Pay account.

No such thing as an Apple Pay account. Apple Pay is a payment conduit not an account.

Not sure what messages you are receiving form your watch, but no one, can log in to an account that does not actually exist.

If the messages you are receiving on your Apple Watch are emails or even SMS messages, then they are very likely scams.

Your tickets were also on the sellers website. If it was Ticketmaster they were hacked big time, their entire customer base was stolen. That’s much more likely than your Apple Wallet being hacked.

bobdigital wrote:

Jeff you seem to be well informed so had a question. Today someone attempted fraud using what GS says was Apple Pay. It was declined bc of a mismatch of information (what I assume was my Apple Card # and the date/CVV). I have not shared my 2FA with anyone nor did I receive any 2FA request on my Apple devices prior to the attempted fraud. I have never used my physical Apple Card nor have I entered my digital Apple Card # into any payment gateway. I have only used my Apple Card via Apple Pay 1) online and 2) via Apple Pay in a few physical stores. All this said, they want me to change my Apple ID password. I don't mind doing it, but I haven't seen any signs of someone trying to login in with a compromised ID/Pass anywhere so I don't believe that's how the fraud happened. Do you think someone just used an emulator to try random 16-digit combinations of credit cards #s with random expiration dates and CVVs?

Most likely one of the stores where you used Apple Pay was hacked, and your card number and expiration were stolen, then someone tried to add the card using that information to their Apple Pay, which failed, of course.

What do you mean by the Wallet’s >insignia<?

If you want to assume that the Wallet was compromised, all they would have been able to retrieve was encrypted data that your bank put there as part of the provisioning of the card for addition to Apple Wallet. How did the >hackers< gain access to the key, that only the bank has?