You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: devspk0
devspk0 Author
User level: Level 1
4 points

Apple Pay actually compromised?

Has someone else encountered this:

  • At 10pm in the evening while watching a movie (and not using my phone, or any other Apple device) I am getting notification from the Wallet for a charge using Apple Card - Apple Pay (the actual Apple Pay device card number, not the titanium card number or the virtual card number). Charge is from a utility billing company from another city, same state.
  • This triggered me because I hadn't read the details before, but I always had the impression Apple Pay was with an extra layer of security.
  • I called it in immediately - first Goldman Sachs - processed the dispute and transferred me to Apple Support to change my device Apple Pay number. Apple support didn't know how to do it, suggested I close my credit card and reopen it (laugh), so escalated to Senior advisor - she plainly explained that Apple Pay device numbers can in fact be compromised by skimming devices (again laugh) and to call back Goldman Sachs again in the morning to change the "Credit card number".
  • Now after I did some reading - I found out that Apple Pay uses DPANs in the Secure Element and dynamic one time (per transaction) security code that is issued by the Secure Element (my guess HMAC or another signature). So in theory it should be impossible without going through the proper biometric authentication.
  • Yet my phone was laying by my side, no weird messages, no weird websites, no nothing, simply a notification popping up.
  • And the DPAN number showing on the transaction is my phone's DPAN number.
  • Not that it matters because of the DPAN number showing the transaction authorized by my phone: All my Apple Devices are with me, it was logged only on my current devices, didn't share anything with anybody, did the safety check to make sure of that, etc, etc.

iPhone 15 Pro Max, iOS 18

Posted on Oct 10, 2024 10:02 PM

Reply
4 replies
User profile for user: Mac Jim ID
Mac Jim ID
User level: Level 7
26,813 points

Oct 10, 2024 10:31 PM in response to devspk0

I suspect it has nothing to do with Apple Pay and your Apple Titanium card number was skimmed, it can happen with any credit card when swiped or inserted with a chip. The skimmers/shimmers are installed by scammers most of the time at gas stations where they have uninterrupted access to the terminals overnight to make the modifications. But of course, these can be installed on any terminal.


There is not one DPAN for a device. Each card you add to the wallet including the Apple Card generates a DPAN. It is the Apple Card that was compromised by swiping/inserting card on an altered terminal and when the scammer used the card number, it showed up on your device. There is no authentication required to use the physical card numbers on the Titanium Card.


You should have received a new Titanium card number and this is also why it was required to change the DPAN number on your device for that card. That does not mean that your Apple Pay was compromised, but would indicate your Apple Card was compromised by the method described above.

Reply
User profile for user: devspk0
devspk0 Author
User level: Level 1
4 points

Oct 10, 2024 10:39 PM in response to Mac Jim ID

Thanks Mac Jim ID, but this is not the case:


  • I have never ever used the Titanium card - it stays in a safe back home - never felt the need to, having Apple Pay. But this also doesn't matter in this case, because:
  • The charge is showing the DPAN of the Apple Card on my device - it has nothing to do with the Titanium card, or the virtual card, or any other card on my device. Yet I didn't authorize it


Very weird situation


Reply
User profile for user: devspk0
devspk0 Author
User level: Level 1
4 points

Oct 11, 2024 9:44 AM in response to Jeff Donald

Wow, thank you Jeff Donald, you seem to actually be quite on target. Mystery is resolved.


Utility company is AMS Bill/wa - on their website it shows they offer residential billing services... so nothing related.


But, Goldlman Sachs was actually able to provide the address of the business and it turns out it matches the address of a barbershop I used to visit 6 months ago. Not their name on the charge, but I called the barbershop today and they confirmed they did the charge, charging the wrong no-show customer. And refunded it.


Goldman Sachs did confirm that unfortunately sometimes their systems temporarily messes up the merchant name in the Wallet (hope they fix this, I see it already 3 times).


My guess is that when I was visiting the barbershop in the past, they opened a recurring account so that they can do follow-up charges (e.g. no-show). And it immediately reminded me of the MPAN token you suggested.


I hope Apple adds a tag for MPAN payments (just saying "Apple Pay" is confusing in this case) that they are recurring charges, so troubleshooting is easier.


Great catch, thank you!





Reply

Apple Pay actually compromised?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up