Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Pay Apple Pay Vulnerable

Huntn

Huntn

macrumors Penryn
Original poster
May 5, 2008
24,276
27,385
The Misty Mountains
My wife found a charge on her American Express for $16 at Panera Bread. She notified AE who told her the charge originated from Apple Pay. They closed her card, issued her a new number and told her to “redo” her Apple Pay, huh? I plan on calling Apple after we get home from TGDay festivities.

How can Apple Pay be breached? The whole idea is to protect your CC number, yes? Does this mean her Apple ID has been compromised? Any insight on this appreciated. I’m changing her Apple ID password with her agreement of course. :)
 
Doubt it was breached, but I guess anything is possible. Each device with the card on it has a unique card number that's different than the real card, each transaction gets a unique dummy/one-time-use card number, and all sent with more unique information that one needs to authenticate for. Specifically:

Apple Pay security and privacy overview - Apple Support

See how your Apple Pay personal and payment information and transaction data is protected.
support.apple.com support.apple.com

After you authenticate your transaction, the Secure Element provides your Device Account Number and a transaction-specific dynamic security code to the store’s point of sale terminal along with additional information needed to complete the transaction. Again, neither Apple nor your device sends your actual payment card number. Before they approve the payment, your bank, card issuer, or payment network can verify your payment information by checking the dynamic security code to make sure that it’s unique and tied to your device.
Click to expand...

On my Amex the Apple Pay charges all start with APLPAY on website (on app, need to tap on the charge to see AplPay; EDIT: and there's the Apple Pay icon on the details as well), so if the transaction on Amex website/app does not list it like that, phone person just did what might be easiest for them (or misread it on their screen).

ADD: if breached, means Amex is breached as that's who gets the fake card number, transaction code, etc to process and approve, not the card processing company. If iCloud is hacked, and could install an iCloud backup on some other device, would need to approve the card in Wallet iirc: will ask for security code on the card to add it to a new device before using.
 
Last edited:
  • Like
Reactions: Huntn
Sounds like AE was being paranoid with cancelling the physical card. Apple Pay never uses the real card number. It only uses a virtual number, the last 4 digits of which are viewable in the Wallet app, so that number could be expired and a new one created.
 
  • Like
Reactions: Huntn
They said it came through American Express and Apple Pay. I know Apple Pay shields the credit card number, so this is bewildering. The AE card seems to get compromised about once a year. When traveling and stopping at a gas station, if buying items inside at the cash register, we use cash now. The old card is locked, new card is enroute and to be safe I changed my wife’s Apple ID password.
 
One possibility is that the card was compromised somehow (for example, an online web site was breached) and someone else had all that they needed to add the number to their wallet and used Apple Pay to make the purchase. It seems l like an idiotic thing to do, because the Apple ID used would be traceable, but I suppose it's possible to create a throwaway iCloud address.
 
  • Like
  • Love
Reactions: arc of the universe, Huntn, waw74 and 1 other person
doogm said:
One possibility is that the card was compromised somehow (for example, an online web site was breached) and someone else had all that they needed to add the number to their wallet and used Apple Pay to make the purchase.
Click to expand...
That crossed my mind too, but like @NoBoMac said, they'd need to have the four digit security code from the card, and the Amex Apple Pay FAQ says they "may ask you to enter a one-time Verification Code to confirm your identity, for security purposes" so I suppose the data thief could get lucky and a 2FA code would not be required, but why $16 at Panera Bread? I was wondering if perhaps a child away at school has the card in their Apple Wallet for emergency use, but the OP would have figured that out.
 
  • Like
Reactions: Huntn and NoBoMac
To add to the previous two posts, OP mentioning "gas station" maybe is a hint. Skimmer on the pump? Very popular place to put those without anyone noticing.

ADD: since AP is basically same tech as chipped cards, if AP is "hacked" so are regular cards, so would expect to see a lot more fraudulent transactions no matter the source, card issuer, etc.
 
Last edited:
  • Like
Reactions: CharlesShaw
NoBoMac said:
To add to the previous two posts, OP mentioning "gas station" maybe is a hint. Skimmer on the pump? Very popular place to put those without anyone noticing.

ADD: since AP is basically same tech as chipped cards, if AP is "hacked" so are regular cards, so would expect to see a lot more fraudulent transactions no matter the source, card issuer, etc.
Click to expand...
I used my card to fill the car, and we both stopped using our cards inside gas stations.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back