You're getting a bit too excited about your phishing phonecall idea. That isn't what happened. Please read my posts properly.
But I agree. Filled credit cards in MacOS Safari is most likely responsible. Nothing to do with Apple Pay.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
VISA says that hackers accessed iPhone's Apple Wallet
- Thread starter brilliantthings
- Start date
-
- Tags
- apple wallet hack iphone
- Sort by reaction score
But I agree. Filled credit cards in MacOS Safari is most likely responsible. Nothing to do with Apple Pay.
That's not how it works. Good luck accessing the card from Safari. Unless the user uses the cached info, and then submits for payment. Browser cache would be one of the most lucrative targets if it were that simple to steal credit card numbers.
Precious Gems Co 🤦🏻♂️. No malware detected.
I think this whole thing sounds like nonsense. Much more likely that a company with her card data was hacked.
This. Plus a support line person that is probably not well trained (especially in details on how credit card transactions happen with chipped cards and or AP), scripted, and whose real task is to get the caller off the line as fast as possible, going to get a “must have been hacked” to move things along for them.
Looks to me more a credit card than a wallet issue. Was that credit card used to make purchases on any other sites? I have multiple instances of fraudulent charges made on my credit cards. In one case thousands of dollars were charged on a card that I never use. How they got the credit card number is a complete mystery.
Does the card ever get used in physical locations? Those are far more likely places where card information gets compromised by way of skimmers, or simply someone making note of the card # and details, then using it later or selling it.
That's a great point. She uses the physical card often. We'll have to change that. Apple Pay is an option in every retail location in Australia. It has been for years.
When I first read this thread, I thought there was no way Apple Pay could be compromised to expose a real card number, since it's supposed to do this:
However, it seems Apple Pay may not be as secure or as privacy conscious as I thought - unless banks themselves are happily passing private information out to merchants.
Via 404Media:
That's incredibly disturbing. Anyone with the last 4 digits of your card and its expiration date can follow your daily movements? Even when you're using Apple Pay.
If that information is exposed to merchants, either by Apple or by banks, it nullifies one of the primary security features of Apple Pay.
It's the Device Account number that gets passed. When I use the Tube in the UK, I can't use my Watch to enter the network on one end and my iPhone to exit at my destination otherwise I'll get changed the wrong amount (as both devices have different numbers). There are posters all over the network warning people of this.
Also...
https://support.apple.com/en-gb/guide/security/secfbd5c0e54/1/web/1
That was certainly my understanding as well. The article I linked throws that into doubt, though.
Perhaps the article is wrong - the American media isn't exactly known for its thoroughness or understanding of the things it reports on.
But if the merchant only has the device account number, how (per the article) would somebody using Apple Pay be able to successfully look up ride history by searching the credit card number on the transit system's website? That seems impossible, unless they are able to obtain the card number.
The article isn't clear but the tracking they describe was made possible by having access to the target's credit card number. The target could access their own data using their own Apple Pay wallet but a third party wouldn't have access to a credit card number in that case.
Something is weird, you can't hack an Apple Wallet, the "cards" stored are meaningless hashes that change constantly. There's a whole security paper explaining way more in depth how they work but essentially your card number isn't stored on your phone or transmitted via purchases.
Yeah, there's something hinky. Either the report in the media is tragically but unsurprisingly libelous, Apple isn't being forthcoming about Apple Pay, or banks/card issuers are doing something shady behind the scenes. Any way you cut it, I don't like it. But I'm really hoping it's just the media being dumb again that'd be par for the course.
you take media way too seriously. There are so many unknowns in the story, if that story was remotely true, we wouldn’t see the issues with people getting stuck using two different devices of Apple Pay. Most likely, the guy who was being tracked had an account, which was being accessed by the reporter using his credit card.
It's entirely possible I'm taking the media far too seriously. I laugh at most of their negligent and atrociously researched tech-based stories. This one seems simple enough for them to actually test with minimal competency, though. It's not rocket surgery to send someone through a transit system using only Apple Pay and no account and see what happens. Perhaps I'm giving the media too much credit...
The article isn't clear but the tracking they describe was made possible by having access to the target's credit card number. The target could access their own data using their own Apple Pay wallet but a third party wouldn't have access to a credit card number in that case.
I think this is very likely to be the case
My Apple Card got used Aug. 9 at a Walmart in Mass. I live in FL, and have never been to Mass. Moreover, I rarely use the physical card, however, that day I did use it twice, at two locations a few miles apart…in Florida.
I contacted Apple via their website, they transferred me to Goldman Sachs. They confirmed it was not my transaction, reversed the charges and canceled the physical card. A new one arrived a few days later.
One reason I rarely use the physical card it that the tap feature has never worked. On the few occasions I have used the physical card, I have to slide it into the pay slot. The vast majority of charges are via Apple Pay online, and those have never triggered any problem.
The amount was only $28.44 at the Walmart — weirdly, in responding, the GS rep provide the name of the person who made the charge, and even weirder, that the date was March 17 — five months ago(?).
The whole episode is a mystery but it makes me reluctant to use the card physically, at all.
I contacted Apple via their website, they transferred me to Goldman Sachs. They confirmed it was not my transaction, reversed the charges and canceled the physical card. A new one arrived a few days later.
One reason I rarely use the physical card it that the tap feature has never worked. On the few occasions I have used the physical card, I have to slide it into the pay slot. The vast majority of charges are via Apple Pay online, and those have never triggered any problem.
The amount was only $28.44 at the Walmart — weirdly, in responding, the GS rep provide the name of the person who made the charge, and even weirder, that the date was March 17 — five months ago(?).
The whole episode is a mystery but it makes me reluctant to use the card physically, at all.
Interesting. Swiping credit cards in Australia went out many years ago. We tap to pay using the chip on the card. Although ATM withdrawals rarely use the chip. So skimming is much more likely there.
That's because tap-to-pay is not a physical Apple Card feature. The physical card does not support NFC payments. You're expected to use your phone/watch for NFC payments.
Santander bank has introduced tapped bank withdrawals at its cash machines in the UK. It has been a long time coming and hopefully will obviate some of the skimming scams but crooks will no doubt find some way to exploit current technology. At least it will put a stop to your card getting swallowed.
Fraudulent charges can occur even if you don't use a physical card. Had thousands of dollars of charges on the other side of the country on a card that I have never physically used.