Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
This is my read on this situation, based on the discussion in this thread:
  • The phone call was a phishing attempt. Visa is a business-to-business company. Its clients are card issuers and transaction processors, not card holders. So, Visa does not have any direct contact with card holders. Card holders receive customer service from their card issuer (typically a bank).
  • Phishers have many ways to gather personal information, including scanning social media sites, buying data from hackers, and persuading people with access to contact information to reveal the information, that can be used during phishing attempts.
  • In any case, the match between the phisher's clam to be calling "on behalf on XXX Bank" and the victim's actual bank probably was a lucky guess. Further, it's easy to guess a person's card issuer in markets with a small number of card issuers.
  • The other "details" claimed by the phisher are common activities online. Also, it would be very unusual for a financial services call center rep to provide tech troubleshooting or do detective work.
  • I don't think the victim in this case had their phone or computer compromised. If the victim's card number was indeed stolen, it is much more likely it was in a place the card was physically presented, such as a restaurant, a hotel, or a store.
  • It is very unlikely a fraudulent transaction would happen via Apple Wallet due to multiple factors, including the requirement that the iPhone has to be physically present for the transaction and the way the account details are presented to the merchant.
—————
ETA
If I were facing a situation similar to the OP’s, here are some of the things I would do:
  • Call the card issuer, using the phone number on the back of my card or on one of my monthly statements, to ask if any fraudulent or suspicious activity has been detected on my account.
  • Remove all stored passwords and payment information from the browser that was in use at the time of the potential breach.
  • Download and install a second web browser that is only used for online shopping and on trusted websites. Use the older browser for general web surfing and social media.
  • Anytime I receive a phone call I did not initiate that involves anything confidential or sensitive, I’ll immediately hang up. Then I’ll call the company or provider myself, using a phone number I already have on hand (for example, on a bill or a business card).
----------
ETA 2
From Visa's website:

I was contacted by someone claiming to be from Visa. Is this real or a scam?

If you receive a call or email asking for your information, do not provide it. You can report a phone scam that uses Visa’s name by emailing us at abuse@visa.com. Visa doesn’t call or email cardholders and request personal information.


and

*Please note, Visa does not set up, service, or have access to cardholder or merchant accounts. This is done through our client financial institutions (the banks). Each financial institution has its own criteria for issuing Visa cards, how it manages statements, etc.

(source: VISA FAQ - Individuals )
You're getting a bit too excited about your phishing phonecall idea. That isn't what happened. Please read my posts properly.

But I agree. Filled credit cards in MacOS Safari is most likely responsible. Nothing to do with Apple Pay.
 
  • Like
Reactions: Wizec
Your forgetting that you do not need to use Apple pay with a browser because a website can ask for a person's credit card details. So if the OP's partner was using the web browser to purchase something and was asked for credit card details, as many online retailers do, the credit card details will be stored in the web browsers cache, easy picking for a hacker who knows where to look and thus make a fake facebook ad to go sniffing around in the cache of the web browser.
That's not how it works. Good luck accessing the card from Safari. Unless the user uses the cached info, and then submits for payment. Browser cache would be one of the most lucrative targets if it were that simple to steal credit card numbers.
 
This! If a site gets hacked then yes that stored credit card info could have been part of the breach. But that isn’t Apple Pay and all any breaches could possibly get is a device code, if Apple Pay had been used, which would be useless to them without the actual device.
Spot on
 
I’m loving this discussion. Thanks all. Although the attention seeking bit in this post is my favourite.

I don’t think it could’ve been on the phone. I think it must’ve been in Safari on MacOS. Nothing else makes sense.
what FB ad was it? Did it install any software/malware?
 
Much more likely that a company with her card data was hacked.

This. Plus a support line person that is probably not well trained (especially in details on how credit card transactions happen with chipped cards and or AP), scripted, and whose real task is to get the caller off the line as fast as possible, going to get a “must have been hacked” to move things along for them.
 
This. Plus a support line person that is probably not well trained (especially in details on how credit card transactions happen with chipped cards and or AP), scripted, and whose real task is to get the caller off the line as fast as possible, going to get a “must have been hacked” to move things along for them.
Absolutely
 
Looks to me more a credit card than a wallet issue. Was that credit card used to make purchases on any other sites? I have multiple instances of fraudulent charges made on my credit cards. In one case thousands of dollars were charged on a card that I never use. How they got the credit card number is a complete mystery.
 
Looks to me more a credit card than a wallet issue. Was that credit card used to make purchases on any other sites? I have multiple instances of fraudulent charges made on my credit cards. In one case thousands of dollars were charged on a card that I never use. How they got the credit card number is a complete mystery.
Yes. But very few other sites. I think one of them must’ve been hacked.
 
Yes. But very few other sites. I think one of them must’ve been hacked.
Does the card ever get used in physical locations? Those are far more likely places where card information gets compromised by way of skimmers, or simply someone making note of the card # and details, then using it later or selling it.
 
Does the card ever get used in physical locations? Those are far more likely places where card information gets compromised by way of skimmers, or simply someone making note of the card # and details, then using it later or selling it.
That's a great point. She uses the physical card often. We'll have to change that. Apple Pay is an option in every retail location in Australia. It has been for years.
 
When I first read this thread, I thought there was no way Apple Pay could be compromised to expose a real card number, since it's supposed to do this:

Apple sends your Device Account Number along with the transaction-specific dynamic security code. Neither Apple nor your device sends your actual payment card number to the app.

However, it seems Apple Pay may not be as secure or as privacy conscious as I thought - unless banks themselves are happily passing private information out to merchants.

Via 404Media:
404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay. Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems. Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.

That's incredibly disturbing. Anyone with the last 4 digits of your card and its expiration date can follow your daily movements? Even when you're using Apple Pay.

If that information is exposed to merchants, either by Apple or by banks, it nullifies one of the primary security features of Apple Pay.
 
  • Haha
Reactions: TechnoMonk
When I first read this thread, I thought there was no way Apple Pay could be compromised to expose a real card number, since it's supposed to do this:



However, it seems Apple Pay may not be as secure or as privacy conscious as I thought - unless banks themselves are happily passing private information out to merchants.

Via 404Media:


That's incredibly disturbing. Anyone with the last 4 digits of your card and its expiration date can follow your daily movements? Even when you're using Apple Pay.

If that information is exposed to merchants, either by Apple or by banks, it nullifies one of the primary security features of Apple Pay.

It's the Device Account number that gets passed. When I use the Tube in the UK, I can't use my Watch to enter the network on one end and my iPhone to exit at my destination otherwise I'll get changed the wrong amount (as both devices have different numbers). There are posters all over the network warning people of this.

Also...

https://support.apple.com/en-gb/guide/security/secfbd5c0e54/1/web/1

After the user authenticates, the Device Account Number and a transaction-specific dynamic security code are used when processing the payment. Neither Apple nor a user’s device sends the full credit or debit card numbers to merchants. Apple may receive anonymous transaction information such as the approximate time and location of the transaction, which helps improve Apple Pay and other Apple products and services.
 
It's the Device Account number that gets passed. When I use the Tube in the UK, I can't use my Watch to enter the network on one end and my iPhone to exit at my destination otherwise I'll get changed the wrong amount (as both devices have different numbers). There are posters all over the network warning people of this.
That was certainly my understanding as well. The article I linked throws that into doubt, though.

Perhaps the article is wrong - the American media isn't exactly known for its thoroughness or understanding of the things it reports on.

But if the merchant only has the device account number, how (per the article) would somebody using Apple Pay be able to successfully look up ride history by searching the credit card number on the transit system's website? That seems impossible, unless they are able to obtain the card number.
 
The article isn't clear but the tracking they describe was made possible by having access to the target's credit card number. The target could access their own data using their own Apple Pay wallet but a third party wouldn't have access to a credit card number in that case.
 
Something is weird, you can't hack an Apple Wallet, the "cards" stored are meaningless hashes that change constantly. There's a whole security paper explaining way more in depth how they work but essentially your card number isn't stored on your phone or transmitted via purchases.
 
Something is weird, you can't hack an Apple Wallet, the "cards" stored are meaningless hashes that change constantly. There's a whole security paper explaining way more in depth how they work but essentially your card number isn't stored on your phone or transmitted via purchases.
Yeah, there's something hinky. Either the report in the media is tragically but unsurprisingly libelous, Apple isn't being forthcoming about Apple Pay, or banks/card issuers are doing something shady behind the scenes. Any way you cut it, I don't like it. But I'm really hoping it's just the media being dumb again that'd be par for the course.
 
  • Haha
Reactions: TechnoMonk
Yeah, there's something hinky. Either the report in the media is tragically but unsurprisingly libelous, Apple isn't being forthcoming about Apple Pay, or banks/card issuers are doing something shady behind the scenes. Any way you cut it, I don't like it. But I'm really hoping it's just the media being dumb again that'd be par for the course.
you take media way too seriously. There are so many unknowns in the story, if that story was remotely true, we wouldn’t see the issues with people getting stuck using two different devices of Apple Pay. Most likely, the guy who was being tracked had an account, which was being accessed by the reporter using his credit card.
 
you take media way too seriously. There are so many unknowns in the story, if that story was remotely true, we wouldn’t see the issues with people getting stuck using two different devices of Apple Pay. Most likely, the guy who was being tracked had an account, which was being accessed by the reporter using his credit card.
It's entirely possible I'm taking the media far too seriously. I laugh at most of their negligent and atrociously researched tech-based stories. This one seems simple enough for them to actually test with minimal competency, though. It's not rocket surgery to send someone through a transit system using only Apple Pay and no account and see what happens. Perhaps I'm giving the media too much credit...
 
The article isn't clear but the tracking they describe was made possible by having access to the target's credit card number. The target could access their own data using their own Apple Pay wallet but a third party wouldn't have access to a credit card number in that case.
you take media way too seriously. There are so many unknowns in the story, if that story was remotely true, we wouldn’t see the issues with people getting stuck using two different devices of Apple Pay. Most likely, the guy who was being tracked had an account, which was being accessed by the reporter using his credit card.
I think this is very likely to be the case
 
My Apple Card got used Aug. 9 at a Walmart in Mass. I live in FL, and have never been to Mass. Moreover, I rarely use the physical card, however, that day I did use it twice, at two locations a few miles apart…in Florida.

I contacted Apple via their website, they transferred me to Goldman Sachs. They confirmed it was not my transaction, reversed the charges and canceled the physical card. A new one arrived a few days later.

One reason I rarely use the physical card it that the tap feature has never worked. On the few occasions I have used the physical card, I have to slide it into the pay slot. The vast majority of charges are via Apple Pay online, and those have never triggered any problem.

The amount was only $28.44 at the Walmart — weirdly, in responding, the GS rep provide the name of the person who made the charge, and even weirder, that the date was March 17 — five months ago(?).

The whole episode is a mystery but it makes me reluctant to use the card physically, at all.
 
Interesting. Swiping credit cards in Australia went out many years ago. We tap to pay using the chip on the card. Although ATM withdrawals rarely use the chip. So skimming is much more likely there.
 
One reason I rarely use the physical card it that the tap feature has never worked. On the few occasions I have used the physical card, I have to slide it into the pay slot.
That's because tap-to-pay is not a physical Apple Card feature. The physical card does not support NFC payments. You're expected to use your phone/watch for NFC payments.
 
Interesting. Swiping credit cards in Australia went out many years ago. We tap to pay using the chip on the card. Although ATM withdrawals rarely use the chip. So skimming is much more likely there.
Santander bank has introduced tapped bank withdrawals at its cash machines in the UK. It has been a long time coming and hopefully will obviate some of the skimming scams but crooks will no doubt find some way to exploit current technology. At least it will put a stop to your card getting swallowed.
 
  • Like
Reactions: brilliantthings
My Apple Card got used Aug. 9 at a Walmart in Mass. I live in FL, and have never been to Mass. Moreover, I rarely use the physical card,

Fraudulent charges can occur even if you don't use a physical card. Had thousands of dollars of charges on the other side of the country on a card that I have never physically used.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.