VISA says that hackers accessed iPhone's Apple Wallet

[brilliantthings]

My partner was contacted by VISA about an attempted fraudulent transaction using a VISA card in her iPhone's Apple Wallet. They traced it back to a Facebook ad that she had clicked on from within the iPhone Facebook app, but she had not bought anything from the store linked to the site. She does not have any credit cards registered with her Facebook account. VISA fraud squad said that the hacker probably gained access to her Apple Wallet. VISA cancelled the VISA card and told her to restore her phone to factory settings to remove the malware. I've done what they recommended.

I have never heard of anything like this and the whole thing sounds unlikely. Can anyone shed some light on this?

 

[Arxr]

Which phone...which version of ios?

 

[Dann3]

Was it really VISA who called you or was that the actual scam?

 

[Pakaku]

Phone VISA yourself and ask them to do a check. Scammers phoning you and pretending to be official is one of those classic scams

 

[brilliantthings]

Thanks everyone. VISA didn't call us. They texted us and then we called VISA directly using a phone number that our bank gave us. We called our bank on their regular customer service phone number.

iPhone 12 mini iOS 16.6

 

[kitKAC]

Did you check the Wallet app transaction history before wiping it? Transactions in Wallet have to be approved by Touch ID/Face ID - it doesn't seem likely it was hacked.

 

[imlovinit]

Never heard that happening before. Curious though. Visa directly? Which bank was it with?

 

[brilliantthings]

VISA contacted us directly on behalf of our Australian bank

 

[brilliantthings]

Did you check the Wallet app transaction history before wiping it? Transactions in Wallet have to be approved by Touch ID/Face ID - it doesn't seem likely it was hacked.

That's what I was thinking. It sounded like they were making it up on the spot.

VISA blocked the transaction so they gave us information but it didn't get to the transaction stage.

 

[TechnoMonk]

That's what I was thinking. It sounded like they were making it up on the spot.

VISA blocked the transaction so they gave us information but it didn't get to the transaction stage.

You should still see declined transaction in wallet App, even if Visa blocked it. Thats been my experience with banks in US, not sure about Australian banks.

 

[laptech]

It would not be a hack. It would actually come under 'phishing'. The fake facebook ad purpose would be to scan the iphone for credit card details and naturally the obvious place to look is the wallet. The fake facebook ad would have looked in the wallet, grabbed the credit card details and send them on to who ever made the fake ad. That person would then try to use the credit card details to make a fraudulent purchase. VISA obviously caught the fraudulent transaction taking place and blocked it.

 

[0339327]

The whole purpose of Apple Pay is to prevent the third party from having any access to the credit cards at all.

Something seems off here.

 

[laptech]

The whole purpose of Apple Pay is to prevent the third party from having any access to the credit cards at all.

Something seems off here.

Apple pay is irrelevant here because if you read the main post it was stated that the probable cause of the problem was a fake/dodgy facebook ad that the OP's partner clicked on. These ad's are no different to the ones you get when on a desktop computer. They are designed to search through the device or computer for credit card info. This is the risk you take when using web browsers on mobile phones, it is very easy for hackers to build fake ad's/sites/cookies that go looking for specific stuff. If the OP's partner has used the web browser to purchase anything, the web browser will have stored credit card info in the browsers cache. Hackers will know exactly what cache files in the web browser to sniffing for.

 

[0339327]

Apple pay is irrelevant here because if you read the main post it was stated that the probable cause of the problem was a fake/dodgy facebook ad that the OP's partner clicked on. These ad's are no different to the ones you get when on a desktop computer. They are designed to search through the device or computer for credit card info. This is the risk you take when using web browsers on mobile phones, it is very easy for hackers to build fake ad's/sites/cookies that go looking for specific stuff. If the OP's partner has used the web browser to purchase anything, the web browser will have stored credit card info in the browsers cache. Hackers will know exactly what cache files in the web browser to sniffing for.

Again, the phish should not have been able to scan the phone and certainly not access Apple Pay. The cache on the browser seems far more likely.

 

[Arxr]

There is a setting in Safari that allows websites to check if you have apple pay enabled.

 

[TechnoMonk]

Apple pay is irrelevant here because if you read the main post it was stated that the probable cause of the problem was a fake/dodgy facebook ad that the OP's partner clicked on. These ad's are no different to the ones you get when on a desktop computer. They are designed to search through the device or computer for credit card info. This is the risk you take when using web browsers on mobile phones, it is very easy for hackers to build fake ad's/sites/cookies that go looking for specific stuff. If the OP's partner has used the web browser to purchase anything, the web browser will have stored credit card info in the browsers cache. Hackers will know exactly what cache files in the web browser to sniffing for.

Credit cards in Apple Pay wallet can’t be accessed through browser cache.

 

[TechnoMonk]

There is a setting in Safari that allows websites to check if you have apple pay enabled.

That doesn’t skip authentication or give access to the card info. There is something missing here.

 

[laptech]

Credit cards in Apple Pay wallet can’t be accessed through browser cache.

Your forgetting that you do not need to use Apple pay with a browser because a website can ask for a person's credit card details. So if the OP's partner was using the web browser to purchase something and was asked for credit card details, as many online retailers do, the credit card details will be stored in the web browsers cache, easy picking for a hacker who knows where to look and thus make a fake facebook ad to go sniffing around in the cache of the web browser.

 

[Jason J. Schneider]

was asked for credit card details

But correct me if I'm wrong, the Apple Pay system doesn't use the original Credit Card details, it creates a virtual card with a virtual ID, and those are sent to the one that requested payment informations.

 

[laptech]

If Apple wallet is so secure as some of you are saying then the issue can only be of two things, either the OP is lying as to what happened and is thus looking for attention or the OP is telling the truth but the credit card details was obtained in another way (web browser direct input of details as I am suggesting).

 

[brilliantthings]

If Apple wallet is so secure as some of you are saying then the issue can only be of two things, either the OP is lying as to what happened and is thus looking for attention or the OP is telling the truth but the credit card details was obtained in another way (web browser direct input of details as I am suggesting).

I’m loving this discussion. Thanks all. Although the attention seeking bit in this post is my favourite.

I don’t think it could’ve been on the phone. I think it must’ve been in Safari on MacOS. Nothing else makes sense.

 

[izzy0242mr]

I think it must’ve been in Safari on MacOS. Nothing else makes sense.

If you have credit card auto fill enabled and someone auto filled a saved card and sent that to the website, then it could have been stolen. But that's not Apple Pay, even if you have to tap the fingerprint sensor on the Mac to allow it to auto fill the card info.

 

[KaliYoni]

This is my read on this situation, based on the discussion in this thread:

• The phone call was a phishing attempt. Visa is a business-to-business company. Its clients are card issuers and transaction processors, not card holders. So, Visa does not have any direct contact with card holders. Card holders receive customer service from their card issuer (typically a bank).
• Phishers have many ways to gather personal information, including scanning social media sites, buying data from hackers, and persuading people with access to contact information to reveal the information, that can be used during phishing attempts.
• In any case, the match between the phisher's claim to be calling "on behalf on XXX Bank" and the victim's actual bank probably was a lucky guess. Further, it's easy to guess a person's card issuer in markets with a small number of card issuers.
• The other "details" claimed by the phisher are common activities online. Also, it would be very unusual for a financial services call center rep to provide tech troubleshooting or do detective work.
• I don't think the victim in this case had their phone or computer compromised. If the victim's card number was indeed stolen, it is much more likely it was in a place the card was physically presented, such as a restaurant, a hotel, or a store.
• It is very unlikely a fraudulent transaction would happen via Apple Wallet due to multiple factors, including the requirement that the iPhone has to be physically present for the transaction and the way the account details are presented to the merchant.

—————
ETA
If I were facing a situation similar to the OP’s, here are some of the things I would do:

• Call the card issuer, using the phone number on the back of my card or on one of my monthly statements, to ask if any fraudulent or suspicious activity has been detected on my account.
• Remove all stored passwords and payment information from the browser that was in use at the time of the potential breach.
• Download and install a second web browser that is only used for online shopping and on trusted websites. Use the older browser for general web surfing and social media.
• Anytime I receive a phone call I did not initiate that involves anything confidential or sensitive, I’ll immediately hang up. Then I’ll call the company or provider myself, using a phone number I already have on hand (for example, on a bill or a business card).

----------
ETA 2
From Visa's website:

I was contacted by someone claiming to be from Visa. Is this real or a scam?

If you receive a call or email asking for your information, do not provide it. You can report a phone scam that uses Visa’s name by emailing us at abuse@visa.com. Visa doesn’t call or email cardholders and request personal information.

and

*Please note, Visa does not set up, service, or have access to cardholder or merchant accounts. This is done through our client financial institutions (the banks). Each financial institution has its own criteria for issuing Visa cards, how it manages statements, etc.

(source: VISA FAQ - Individuals )

----------
ETA 3
(be careful when using search engines to find customer service phone numbers)

the local phone number he was shown for Delta Air Lines via a Google search actually linked to a scam call center that pretended to be the genuine airline.

Scam Alert: Passengers Report Fake Airline Phone Numbers Are Listed by Google | Frommer's

Fake airline customer service phone numbers are allegedly being populated in Google-generated search results.

www.frommers.com

 

[papbot]

But that's not Apple Pay, even if you have to tap the fingerprint sensor on the Mac to allow it to auto fill the card info.

This! If a site gets hacked then yes that stored credit card info could have been part of the breach. But that isn’t Apple Pay and all any breaches could possibly get is a device code, if Apple Pay had been used, which would be useless to them without the actual device.

 

[brilliantthings]

Thanks everyone. VISA didn't call us. They texted us and then we called VISA directly using a phone number that our bank gave us. We called our bank on their regular customer service phone number.

iPhone 12 mini iOS 16.6

The phone call wasn't a phishing attempt. We made all phone calls ourselves using phone numbers we know are genuine.