10k in fraudulent charges on Apple Card, no resolve with Goldman Sachs

[damphoose]

It sounded mysterious until your last line “I’m traveling” bingo.
your card got skimmed. On a plane, in airport, in a bus terminal, on a train. Anywhere, where it’s easy to spot a traveler. Someone walks by you (they only have to get within 3 feet) with a device in their pocket that pulls the numbers tight off the card. That is why RFID blocking’s wallets are so popular overseas.
[automerge]1572510748[/automerge]

So I had a similar incident I posted on another thread. But Goldman Sachs did even worse. They say I'm responsible for fraudulent charges to some university in England $2600 AND they CLOSED my account. I call in and get no answers whatsoever.

This does not sound believable. So GS knows it’s you and don’t answer the phone? You are protected from fraudulent charges from MasterCard itself. Whether you have Goldman Sachs or Bob’s Mastercard. GS couldn’t screw you even if they wanted to. You fill out the form and they send it into Mastercard. Now I get that most top banks will reverse the charges immediately as part of customer service or perks or whatever. If GS doesn’t do this then yes I agree that sucks. But eventually they still submit the claim of fraud to MasterCard and MasterCard insurance reviews it and pays or rejects the claim.

 

[racharoo]

your card got skimmed. On a plane, in airport, in a bus terminal, on a train. Anywhere, where it’s easy to spot a traveler. Someone walks by you (they only have to get within 3 feet) with a device in their pocket that pulls the numbers tight off the card. That is why RFID blocking’s wallets are so popular overseas

How are they getting the CVV then? The only way to access that is through the Wallet app. These are all times when the digital card is being used, not a physical card. There are people on various sites saying they have never used the physical or digital version of the card and they are getting bogus charges, primarily from UK merchants.

 

[4sallypat]

If the card got scanned by a RF reader, then all the data (account, expiration, CVV) would all be captured by the thief's RF scanner.

Yes, a RFID shielded wallet or card protectors would protect your cards from being scanned. I use them whenever I travel (passport, Global Entry TSA card, credit card, ATM card). Works to block the 13.56MHz signal NFC RF readers.

I use:

 

[nicho]

It sounded mysterious until your last line “I’m traveling” bingo.
your card got skimmed. On a plane, in airport, in a bus terminal, on a train. Anywhere, where it’s easy to spot a traveler. Someone walks by you (they only have to get within 3 feet) with a device in their pocket that pulls the numbers tight off the card. That is why RFID blocking’s wallets are so popular overseas.

If the card got scanned by a RF reader, then all the data (account, expiration, CVV) would all be captured by the thief's RF scanner.

Yes, a RFID shielded wallet or card protectors would protect your cards from being scanned. I use them whenever I travel (passport, Global Entry TSA card, credit card, ATM card). Works to block the 13.56MHz signal NFC RF readers.

Ignoring the fatal flaw, of course, in the suggestion that someone used an RF reader to skim the card... that the physical apple card is not a contactless card...

Mastercard On Apple's Digital-First Credit Card | PYMNTS.com

Mastercard's EVP of Digital Solutions Jorn Lambert examines the new Apple Card — Apple's new credit card — in both its digital and physical, plastic forms.

www.pymnts.com

 

[bobt]

@960design @bobt please email me about this - tom@theverge.com thanks!

Will do Tom. I'll send you details this evening.
[automerge]1572539110[/automerge]

It sounded mysterious until your last line “I’m traveling” bingo.
your card got skimmed. On a plane, in airport, in a bus terminal, on a train. Anywhere, where it’s easy to spot a traveler. Someone walks by you (they only have to get within 3 feet) with a device in their pocket that pulls the numbers tight off the card. That is why RFID blocking’s wallets are so popular overseas.
[automerge]1572510748[/automerge]

This is not possible. The charges were against the card number that is stored in the wallet, not the physical card, therefore the physical card info was not skimmed or compromised. Either my iPhone wallet was compromised, or the California State Park reservation website was (the only place I have used the card number), or it is something with Apple or Goldman Sachs. The fact that others have had fraudulent charges for colleges in Europe makes me think it is something with Apple or GS having a data breach.

 

[damphoose]

How are they getting the CVV then? The only way to access that is through the Wallet app. These are all times when the digital card is being used, not a physical card. There are people on various sites saying they have never used the physical or digital version of the card and they are getting bogus charges, primarily from UK merchants.

Incorrect. The CVV can be pulled with a skimmer just like all the other data.
[automerge]1572544437[/automerge]

Will do Tom. I'll send you details this evening.
[automerge]1572539110[/automerge]


This is not possible. The charges were against the card number that is stored in the wallet, not the physical card, therefore the physical card info was not skimmed or compromised. Either my iPhone wallet was compromised, or the California State Park reservation website was (the only place I have used the card number), or it is something with Apple or Goldman Sachs. The fact that others have had fraudulent charges for colleges in Europe makes me think it is something with Apple or GS having a data breach.

Apple has created a false sense of how the card works. There is no “physical card info” and “digital card info”. They are the exact same information. They only thing that is different is when you use Apple Pay. Then you have the random tokens instead of the info in the card. To clarify, you see those numbers in the app? Card number, date blah blah blah. Those is the EXACT same information on magnetic strip on your physical card.

 

[Rigby]

If the card got scanned by a RF reader, then all the data (account, expiration, CVV) would all be captured by the thief's RF scanner.

This is not accurate. Modern contactless cards use EMV transactions with dynamic security codes. It is not possible to extract enough information to clone the card or make an online purchase. It is in theory possible to make a single transaction by bringing a certified contactless POS terminal within inches of the card, but the card will not respond to a simple scanner that doesn't have the required cryptographic credentials.

But in any case, in case of the Apple Card none of this applies since it is not a contactless card.

 

[Rigby]

Apple has created a false sense of how the card works. There is no “physical card info” and “digital card info”. They are the exact same information. They only thing that is different is when you use Apple Pay. Then you have the random tokens instead of the info in the card. To clarify, you see those numbers in the app? Card number, date blah blah blah. Those is the EXACT same information on magnetic strip on your physical card.

This is also inaccurate. There are 3 types of account numbers associated with the Apple Card:

- The number stored on the mag stripe and in the EVM chip on the physical card. You can see the last 4 digits in the Wallet app. The full number isn't displayed anywhere (but you can get it using a mag stripe reader)
- Virtual PAN (primary account number): this is the number you can use for online purchases. It can be re-generated at any time in the app.
- DAN (device account number): this number is generated when a card is provisioned in Apple Pay. It is usually unique per device, even if the same underlying card account is used.

 

[damphoose]

This is not accurate. Modern contactless cards use EMV transactions with dynamic security codes. It is not possible to extract enough information to clone the card or make an online purchase. It is in theory possible to make a single transaction by bringing a certified contactless POS terminal within inches of the card, but the card will not respond to a simple scanner that doesn't have the required cryptographic credentials.

But in any case, in case of the Apple Card none of this applies since it is not a contactless card.

What is not accurate is “it is not possible to extract enough to information to clone the card”. That is false. If that was true card cloning would have disappeared completely when these cards were introduced. Card cloning is alive and well. Are you really naive enough to think that a criminal enterprise does not have thr resources to acquire a device with the “required cryptographic credentials”.

btw GS has been deactivating anyone‘S card and sending them a new card if they claim fraudulent charges. You can read people first hand account in the Applecard Reddit. If it was so impossible to get the actual physical card numbers that would not be necessary. They would just tell us to hit thr “Request New Card Number” and that would solve any fraud issues going forward. Essentially bricking the fraudsters ability to use the acquired Number. But that does not work because the physical number is being acquired. But that’s impossible apparentl.

 

[nicho]

that does not work because the physical number is being acquired. But that’s impossible apparentl.

Card numbers are generated mathematically. Which makes you putting 2 and 2 together to make 5 all the more ironic.

Many people are alleging fraud without having ever used the physical card, for some it has never left the house. The card has a physical card number (which can't be seen on the card, but is readable by magstripe/chip readers) but it is not contactless. It is indeed fully impossible to clone an apple card using contactless equipment, since it is not a contactless card. Other cloning can occur using the physical card, but not by reading them as you suggested.

So back to the mathematical bit, and trying to get you to see your information through a different lens. The physical card number cannot be changed in the same way as a digital one can; more traditional cancel/reissue process must be followed to ensure compatibility with legacy payment networks. But there's an alternative explanation for fraudsters being able to use the acquired numbers. What if it isn't a case of fraudsters acquiring card numbers and compromising them, but a case of them having worked out the algorithms which generate such card numbers and GS going on to issue physical cards which match them?

 

[damphoose]

Card numbers are generated mathematically. Which makes you putting 2 and 2 together to make 5 all the more ironic.

Many people are alleging fraud without having ever used the physical card, for some it has never left the house. The card has a physical card number (which can't be seen on the card, but is readable by magstripe/chip readers) but it is not contactless. It is indeed fully impossible to clone an apple card using contactless equipment, since it is not a contactless card. Other cloning can occur using the physical card, but not by reading them as you suggested.

So back to the mathematical bit, and trying to get you to see your information through a different lens. The physical card number cannot be changed in the same way as a digital one can; more traditional cancel/reissue process must be followed to ensure compatibility with legacy payment networks. But there's an alternative explanation for fraudsters being able to use the acquired numbers. What if it isn't a case of fraudsters acquiring card numbers and compromising them, but a case of them having worked out the algorithms which generate such card numbers and GS going on to issue physical cards which match them?

You are rebutting a position I never made. I never said a non contactless card number was acquired that way. That was an example of how cloning works. And separately addressing a completely different post, that it is impossible to clone the physical Apple card. Again, top A: RF cloning. Topic B: Apple card cloning, which is obviously not RF cloning. There are several topics being discussed and you are mixing them up. While not ironic....(rhymes with it though) of you since the ability to hold several thoughts should not be beyond an upright human.

And yes, its possible that the numbers were worked out with algorithms and not from cloning. Congratulation you managed to contribute something after all.

 

[jpn]

Card numbers are generated mathematically. Which makes you putting 2 and 2 together to make 5 all the more ironic.

Many people are alleging fraud without having ever used the physical card, for some it has never left the house. The card has a physical card number (which can't be seen on the card, but is readable by magstripe/chip readers) but it is not contactless. It is indeed fully impossible to clone an apple card using contactless equipment, since it is not a contactless card. Other cloning can occur using the physical card, but not by reading them as you suggested.

So back to the mathematical bit, and trying to get you to see your information through a different lens. The physical card number cannot be changed in the same way as a digital one can; more traditional cancel/reissue process must be followed to ensure compatibility with legacy payment networks. But there's an alternative explanation for fraudsters being able to use the acquired numbers. What if it isn't a case of fraudsters acquiring card numbers and compromising them, but a case of them having worked out the algorithms which generate such card numbers and GS going on to issue physical cards which match them?

this.
its clear that of all the plausible reasons for this fraud, the criminals have access to the card number generation routine.
gs needs to fix this.
and while they are at it, get rid of the magnetic stripe facility as well, its just too old tech.

 

[nicho]

You are rebutting a position I never made.

Except you literally explained OP's situation by saying this:

It sounded mysterious until your last line “I’m traveling” bingo.
your card got skimmed. On a plane, in airport, in a bus terminal, on a train. Anywhere, where it’s easy to spot a traveler. Someone walks by you (they only have to get within 3 feet) with a device in their pocket that pulls the numbers tight off the card. That is why RFID blocking’s wallets are so popular overseas.

I took the liberty of bolding the bit that shows you did take that position - since it's pretty difficult to physically clone a card "anywhere where it is easy to spot a traveler" by way of swiping it. You'd have to mug the person. RF cloning, which is "obviously not" what happened - as you later said - was pretty irrelevant to bring up in the quoted post about Apple Card. His physical card number was acquired. Talking about cloning in general is akin to discussing garrotting in a shooting thread. Another way to kill someone, but not really the topic at hand.

Hence my - and another poster's - correction of it. I can only assume that you're referring to Rigby's post when you say:

And separately addressing a completely different post, that it is impossible to clone the physical Apple card.

although if you read it again, that isn't a position he or from what I see anyone in this thread has taken. Only that you're wrong to bring up RF cloning, which cannot happen with apple card, period. physical cloning yes, but that doesn't explain the number of cases cropping up where people haven't ever used the card. but nobody here has said it couldn't be cloned physically...

 

[Rigby]

What is not accurate is “it is not possible to extract enough to information to clone the card”. That is false. If that was true card cloning would have disappeared completely when these cards were introduced. Card cloning is alive and well.

First, card cloning is only "alive and well" because cards still have mag stripes for backward compatibility. Second, I stand by my statement that it is not possible to create a card clone with data obtained from an EMV contactless card through a wireless scanner. The system is designed not to transmit all the information that would be required to perform transactions without actually using the physical card itself.

Are you really naive enough to think that a criminal enterprise does not have thr resources to acquire a device with the “required cryptographic credentials”.

This is in fact difficult since the credentials are locked into tamper-resistant smart chips (similar to the ones that Apple uses to store Apple Pay information in the iPhone). Also, such a POS device would have to be used through a payment provider. If the device was repeatedly used for fraudulent transactions, the payment provider would blacklist it.

btw GS has been deactivating anyone‘S card and sending them a new card if they claim fraudulent charges. You can read people first hand account in the Applecard Reddit. If it was so impossible to get the actual physical card numbers that would not be necessary.

Again, you were talking about wireless scanning. Physical card numbers can be stolen in many ways other than wireless scanning (which is not a "thing"), such as breaches of retailer POS terminals or payment networks.

 

[southflguy]

This does not sound believable. So GS knows it’s you and don’t answer the phone? You are protected from fraudulent charges from MasterCard itself. Whether you have Goldman Sachs or Bob’s Mastercard. GS couldn’t screw you even if they wanted to. You fill out the form and they send it into Mastercard. Now I get that most top banks will reverse the charges immediately as part of customer service or perks or whatever. If GS doesn’t do this then yes I agree that sucks. But eventually they still submit the claim of fraud to MasterCard and MasterCard insurance reviews it and pays or rejects the claim.

Believe it because it happened to me. Ultimately after a week or so I was able to get Apple to speak to GS on my behalf and they called me apologizing that it was a mistake and that it was fraud (they told me it wasn't) and they closed my account accidentally. Still no reason why this happened.

 

[bobt]

While the discussion of tampering with a card is interesting, I still don't believe it is relevant with my situation. Within the wallet app, it is easy to see if charges are made with the card number or with a physical card. These fraudulent charges were against the card number, not my physical card. Furthermore, my travels are in the very remote locations away from urban areas and public transportation including airports, etc. My latest update with GS is it could take up to 90 days to resolve.

 

[tigres]

While the discussion of tampering with a card is interesting, I still don't believe it is relevant with my situation. Within the wallet app, it is easy to see if charges are made with the card number or with a physical card. These fraudulent charges were against the card number, not my physical card. Furthermore, my travels are in the very remote locations away from urban areas and public transportation including airports, etc. My latest update with GS is it could take up to 90 days to resolve.

no joke here, I would send Tim Cook an email with details. You will get a response and a resolution. 90 days, my ass- I would be letting loose on top brass for this, and you have every right to call it out. GSand Apple appear to have some issues with the card.
Don’t forget to tell him how awesome the CS reps at GS are to deal with ?