Credit card used in Apple Pay compromised

Jeff,

I contacted my CC fraud department and they indicated there was no SEID attached to the transaction. They also clarified that it was an online transaction and a MANUAL ENTRY. They also indicated that the CC number used was the number issued to my device’s Apple Pay which is different than my actual physical card number. The reason it was declined was because the address and CVV entered manually did not match.

I have recently made at least 3 online purchased for Christmas on reputable sites using the APPLE PAY Option. My guess that someone can access the CC number on their end or in transit and attempted a manual entry.

I will not be using APPLE pay for now. Sticking to PayPal. Never had issues with that.

Here is the test. Each Apple device with a Secure Element has an SEID number (Secure Element ID). It is unique and can’t be cloned. The bank can see the SEID that made the transaction. Ask them for the SEID that made the transaction.

Your SEID number is at this path,

iPhone > Settings > General > About < SEID number.

So you are saying that the information given to me by my CC company is incorrect? I think not.

There is a CC number (different than physical card) associated with my credit card and assigned to my Apple Pay device. If someone somehow can see this CC number in its entirety, there is nothing stopping them from making a purchase online and entering this acquired number manually as a visa/mastercard payment method. The issue for me is that when they entered the info the address and cvv entered did not match and therefore was declined. Since they did indeed have the CC number correct the transaction decline notification came to my Apple Wallet device for which this number has been assigned to which makes sense.

Yes, the SEID number and if it was a card present or card not present transaction is how to determine the nature of the transaction.

The three devices (?) can only be positively identified by the SEID. Why did they not give you the SEID? What are they hiding, the one way to determine the devices involved.

Apple Pay does not send any notices regarding charges. Any emails or SMS messages you get regarding Apple Pay are always scams. Never real.

If a charge that had been made through Apple Pay, it would appear in the Wallet App on the FM1's devices only It would not send a notice.

There is no actual card info kept in Apple Pay, and Apple Pay requires biometric confirmation to execute a payment. So it's simply not possible to have it be hacked or compromised like that.

As such email or sms notice that purports to notify about an Apple Pay charge is a scam.

>>I have recently made at least 3 online purchased for Christmas on reputable sites using the APPLE PAY Option. My guess that someone can access the CC number on their end or in transit and attempted a manual entry.<<

The credit card number is not stored on your iPhone. Your bank substituted the number for a dynamic payment token. It creates a unique card number for each transaction. The data generated by the token is encrypted. Only your bank and PNO has the key to decrypt the information. The information is only good for one purchase. The token is dynamic and creates new data each transaction.

If several transactions were attempted, Apple Pay would create new numbers each transaction.

Each device has several unique identifiers the banks and PNO’s have access to, SEID and last 4 digits of DPAN (Device Primary Account Number. Each device, even with the same card (account) in the Wallet will have different DPAN numbers, along with a unique SEID. A DPAN can’t be entered manually, it’s encrypted.

LaSuperChula —

>>There is a CC number (different than physical card) associated with my credit card and assigned to my Apple Pay device. If someone somehow can see this CC number in its entirety, there is nothing stopping them from making a purchase online and entering this acquired number manually as a visa/mastercard payment method.<<

The second number is called the DPAN ( Device Primary Account Number) is encrypted by your bank and only the bank has the key to decrypt the full number.

Your bank creates a dynamic encrypted token and it’s placed in your Apple Wallet in the Secure Element (SE). The dynamic token creates a unique number for each transaction and your bank only permits each unique number to be used once.

The secure element is its own computer or SOC (System on a Chip) that uses virtually none of the iPhones resources except battery and limited encrypted wireless data. SE has its own processor and memory and uses Java for its operating system. It’s hard by banks worldwide and has never been compromised and is an ISO standard in the banking sector worldwide.

Please explain how the encrypted number was decrypted and manually entered at a merchant’s location.

• What do you see when you tap on the Declined transaction, and sometimes an additional tap to show the details?
• Can you post a screenshot of that page without it showing any personal information?

Did you ask them for the SEID number as I requested? If they don’t have it, which I sincerely doubt, the PNO does have it.

Then match the SEID number to your iPhones.

Where trying to get there with facts, not your suppositions. When you ask the bank for the SEID also ask if it was a card present or card not present transaction.

That’s not Apple Pay charging you. Whatever card you have linked to that account shows up in that cue. Tap on that charge and it will show you which card was charged.

It has nothing to do with Apple Pay. Your credit or debit card number was used somewhere without your consent. You received a notification in Apple Pay bc you have that card linked to Apple. See what I’m saying?

All Apple Pay transactions code as card present. They do not code as manual entry or card not present.

Visa, Mastercard, American Express etc. (Payment Network Operator) are so confident in the security of Apple Pay transactions they code them as card present.

Apple Pay transactions cannot be entered manually. It’s impossible.