Apple Cash - TikTok Scam with Greendot

Apple has nothing to do with this. Apple Cash is serviced by Green Dot Bank. If you can’t dispute the issue any further, please file a complaint with the Consumer Financial Protection Bureau.

It’s important to note that Apple Cash does not offer fraud protection.

Apple can’t assist with the issue because your financial transactions are encrypted on your device and Apple does not have the key to decrypt. This means that Apple has no knowledge of your transactions. How can they help with something they have no knowledge of. Apple has no authority to intercede in a federally regulated bank.

I’m sorry this happened but your best path forward is through the complainant process with CFPB. Links are posted in the thread.

As someone who recently experienced this, and with all due respect, I have to disagree with your theory of a BIN brute force. If someone had brute-forced the card number, rotating the Apple Cash card number would have stopped the charges immediately because the old number would be dead and they’d have to start guessing again from scratch. That’s not what happened to me, and seemingly not what happened to the other expressing their frustration in this thread. The charges resumed on the new card number for myself within less than 24 hours after rotation, which rules out any attack that depends on knowing or guessing the card number.

The assumption that sequential reissuing makes brute forcing viable doesn’t track either. Card networks don’t reissue numbers sequentially. Visa’s tokenization and card generation systems use randomized numbering specifically to prevent this kind of predictability. Even if someone knew the old number, the new number isn’t old number plus one. And even setting that aside, brute forcing a card number still requires guessing the expiration date and CVV alongside it, which aren’t sequential by anyone’s definition. The math on brute forcing all three in combination doesn’t support the idea that someone could re-acquire a working set of credentials within hours of a rotation.

What actually fits the evidence is token-based persistent authorization, and there are two layers to how this works based on Apple and Visa’s published legal and privacy documentation, as well as from Krebs on Security.

The first layer is device-level token provisioning. If an attacker intercepts a one-time verification code through social engineering, they can provision the victim’s Apple Cash card onto their own device’s wallet. When that happens, Visa issues a Device Primary Account Number, which is a device-specific token that represents the underlying card but is not the card number itself. That DPAN lives on the attacker’s device and functions as a fully authorized payment credential. It doesn’t require the victim’s Apple ID session to persist, doesn’t care about password changes, and doesn’t get invalidated when the victim logs out all devices from their Apple ID, because the DPAN exists at the network level, not the Apple ID level.

The second layer is merchant-level token provisioning. When that device-provisioned card is used with a merchant like TikTok or Telegram, Green Dot and Visa issue a separate merchant-specific token tied to that merchant relationship. This token allows the merchant to initiate future charges without any further cardholder authentication. No Apple ID, no 2FA, no card number required. And critically, when the consumer rotates their card number, Visa’s token update service propagates the new credentials to all active tokens automatically. The merchant token refreshes itself.

Together, these two layers create what is effectively a permanent authorization chain. The device token gives the attacker a persistent foothold that survives credential resets, and the merchant token gives them a persistent billing relationship that survives card rotations. They’re legitimate tokens issued through legitimate infrastructure. They were just obtained through illegitimate means. That’s what makes this so difficult to detect and remediate from the consumer side. Everything looks valid to the network because technically it is.

The likely sequence is that at some point the Apple Cash credentials were provisioned against TikTok or Telegram through some form of social engineering, whether that was an intercepted OTP or something else. Once that provisioning occurred, the resulting token chain survived every remediation step available to the consumer. Password resets, card number rotations, session logouts, even a full factory reset of the device. The only thing that actually stopped the charges was locking the entire account, which just froze all activity rather than revoking the tokens themselves. Even if you choose to unlock the account later, unless Green Dot revokes the merchant tokens (which they informed me they refuse to do), the permanent authorization token still exists with the merchant, meaning you can continue to be charged even after all is said and done. The “scorched earth” approach being requesting Green Dot to close the Apple Cash account and open a new one.

A BIN brute force would also mean random merchants, not the same merchant hitting repeatedly through what is clearly a valid tokenized relationship. The pattern here is consistent with a provisioned token chain being exploited, not someone guessing numbers and hoping they land.​​​​​​​​​​​​​​​​

Just figured I’d include the results of my findings after countless hours of fighting with Apple, Green Dot, Phone Companies, Engineering Teams, Corporate Reps, etc.

You’re welcome! CFPB is your best bet along with your state attorney general and any consumer protection agency your state has. Don’t expect the FTC to do anything, they don’t really have any jurisdiction. Let me know how the complaint goes, because you may still have a few other options. You should know something in a month or so. Good luck.

Have you read this thread? Use the links and phone number in my post to file a complaint with CFPB.

Please don’t post it multiple threads.

The amount and type of protection provided depends on if you ever verified your identity and registered your account. You may also have zero liability protection through Visa. Generally, you must report the fraud quickly. If there was a delay of a week or so, between the occurrence of the fraud and you reporting it, your protection is none.

Register your dispute in writing using the address below. Good luck with your dispute.

Apple Cash is serviced and issued by Green Dot Bank. Please contact an Apple Cash Specialist at Green Dot Bank. 

Contact Green Dot Bank:

by mail for disputes at P.O. Box 9, West Chester, Ohio,

www.greendot.com

https://applecash.greendot.com/termsconditions/

For general information about prepaid accounts, visit cfpb.gov/prepaid. 

If you have a complaint about a prepaid account, call the Consumer Financial Protection Bureau at 1-855-411-2372 or visit cfpb.gov/complaint.

I can’t tell you what the scam is until you tell me what’s going on.

Apple’s not a bank and their app doesn’t send anything. I don’t think you understand what Apple Cash is or how it works.

Apple Cash is not a system it’s a secure service. Again, I don’t think you fully understand what Apple Pay is and how it works.

Apple Cash is not an app.

We can address the trust part after understand what Apple Cash is, how it works and what role Apple and Green play.

Apple Cash is a prepaid debit card. It consists of a virtual card in your Apple Wallet app. No physical card is issued. The Apple Cash card also has a virtual number associated with it that you can view in your Apple Wallet. When used with Apple Pay (Tap-To-Pay) a digital token is used. It’s important to note the virtual card number, expiration date and security code are different from the token.

Do you know which number was used? I suspect it was the virtual card number but have no way of knowing.

The odds are the virtual card number was obtained one of two ways. The first is you used it online for a transaction and the merchant’s security was compromised by hackers getting into their system.

The second way is a BIN attack. Scammers/hackers compromise a small merchant’s system and then run associated BIN (Bank Identification Numbers) requesting approvals for sequential account numbers. This needs a more detailed explanation and if you want it I’m happy to reply. The alternative is read the whole wiki article I linked.

https://en.wikipedia.org/wiki/Carding_(fraud)

I have my notifications set to receive notifications and I receive them. I can’t comment further because I don’t know what you have enabled or disabled. However, if you don’t check your notifications, I’m not sure what you’re doing. Sorry your post contains contradictory statements. No offense, it could easily be me misunderstanding what you’re saying.

How is it possible to happen for withdrawals to happen without a notification? The first thing to understand is there is no Apple Cash System.

The compromise is most likely the virtual card number obtained via a BIN attack. Scammers create TikTok accounts and use the card to make purchases from possibly scam companies or legitimate companies or purchase subscriptions for services. It’s impossible for me to be more specific without more specific information.

Apple Pay (Tap-To-Pay) has never been hacked. Happy to explain further if you’re not willing to accept my statement.,

I think I’ve addressed everything. Happy to answer any additional questions.

I was impacted - actually it was my son's apple cash account. He is a minor, I'm the family manager. He had about 10 transactions in rapid succession on his account, all from "tiktok for business". He doesn't have a tiktok account. His device wasn't stolen. His password was not compromised. There was no abnormal activity on his apple account. 2 factor authentication has always been enabled on this account. The transactions were in euros (we live in CA). The transactions were algorithmic - it's very clear that these were unauthorized transactions. We were just informed today that the dispute was rejected and that these were deemed "authorized transactions". Still haven't been able to get from Green Dot on what platform these transactions happened. I really don't think they care at this point - this has been happening to more people and I don't think Green Dot is equipped to deal with this. I'm not sure how/why Green Dot still exists, and why apple partners with such a horrible company.

I lost a total of $251.22 over eight transactions with "Tiktok Promote".

I do not use TikTok.

I do not have the TikTok app.

I have no TikTok account.

Apple was no help.

Greed Dot Bank refused to help.

I filed a complaint with the CFPB.

Hopefully everyone's funds due to this scam will be returned shortly. It seems clear that Green Dot had to be approached with legal downsides before recognizing and refunding obvious unauthorized transactions - at least that's the chatter on another site's conversation on this. My claim was rejected, I asked for more documentation, and I was sent the rationale of the rejection that seemed like a boilerplate - as the few points provided weren't even true in our case. The stolen money for many that were victim of this fraud was refunded today. I noted what I thought of Green Dot in a prior posting on this community forum and that was considered threatening by the moderator and my post and username was changed and I was scolded like a child by the righteous moderator - I guess that will happen again. Would be nice if those in this community were informed though that this scam has now been recognized.

treehouse_resident wrote:

In other words, I like your explanation but can't see how they got a one-time verification code to add my AppleCash account to their wallet. Unless this is an inside job.

Just so you’re clear Green Dot Bank does not use 2FA or OTP as part of provisioning the card for Apple Wallet.

If you weren’t previously aware, there is a virtual card number, expiration date and security code available in your Apple Cash card in your Apple Wallet. Tap the card with numbers at the top of the screen to display the number. This number can be used anytime, but is intended to be used when Apple Pay is not accepted.

If you want to learn about what’s possibly going on you need to learn not to make accusations and threats. You were way over the line with your accusations and suppositions.

If you have some information regarding the transaction amounts etc. share a screenshot so I can see what you’re referring to. Cross out any personal information.

I suspect what “may” have happened was a BIN attack. A BIN attack targets sequential credit card numbers at banks (Bank Identification Number attack). Attackers exploit sequentially issued numbers within a bank’s BIN range by brute-forcing combinations of card numbers, expiration dates, and CVVs through automated attempts on merchants.

Here’s how it works. Fraudsters obtain a bank’s public BIN (first 6-8 digits), then use software to generate sequential account numbers and test them via small transactions or authorizations. Sequential issuance makes valid cards predictable, amplifying success rates before banks detect patterns like repeated declines.

There’s more to it than what I shared above. But that’s it until you cool your rhetoric. You should also reconsider your user name of you want anyone to take you seriously. I’m not having a conversation about fraud with someone named horsediddle.

Thanks for contributing your thoughts on the matter. A BIN attack explains the sudden start to the fraud which your method doesn’t address. Some people experiencing this have stated they never once used the card.

You misstated how a BIN attack works. Just one or several merchants are used for a small test transaction. Generally, just a penny or two which doesn’t arouse suspicion of the merchant or card holder.

The compromised card data from a BIN attack is used to purchase a recurring subscription from the merchant. A subscription survives a change of account numbers and security code. Typically banks do not have the authority to revoke a subscription until fraud is determined.

Apple Cash is associated with the Apple Account (Apple ID). I purchased a new iPhone and log in with my Apple Account information and Apple Cash and Apple Card are provisioned on the back end and automatically added to Apple Wallet. A scammer would need Apple Account information from a lot of people.

You have a misunderstanding of tokenization and who issues and controls them. The Token Service Provider or TSP is the issuer. Most banks use the Payment Network Operator, Visa, Mastercard and American Express to issue the DPAN token and keys. For recurring billing, the merchant gets a separate “merchant token” (MPAN) that is unique to that merchant, device, and card combination. Apple (assuming Apple Pay) generates the merchant token when the customer approves the initial transaction, and the merchant stores it for future subscription charges.

Tokens are also used when customer enters PAN directly on website checkout page. Research “card on file” transactions if you more a more complete understanding of payments, transactions and tokens.

I was scammed, reported it to GDB & like everyone else, my claim was denied. I was told I approved the transactions - I definitely did not!!

There are so many people who have been affected by this scam.

i looked up doing a class action suit - it’s possible; there are several steps needed before doing so.

I’m out $55, others were scammed out of thousands!! This has to be an inside job as people are expressing the same sentiment of never being notified of the transactions.

I DO NOT have tik tok, nor do I have a clue what the charges actually are for.

This is my learned lesson......

I rarely used my accumulated Apple Cash balance out of disinterest except when the balance exceeded several hundreds of dollars. Only then would I spend it down.

As my Apple Cash account was being incrementally emptied, the smallest amount was $28.31.

I will now spend it down when the balance exceeds $25.00.