Key Post Can a fraudster add my debit card to their Apple Pay?

Brendan Burgess

Founder
Messages
53,769
This comes up a lot in the complaints that someone doesn't use Apple Pay yet their card was used via Apple Pay in another country.

This thread is very specific. It is not about people having their phone stolen and the thief accessing their credit cards.

In the next post, I will set out the procedure for adding a card.

But if someone has all your credit card information, can they add your card to Apple Pay?

They cannot do it unless you authorise them to add it by giving them a One Time Passcode (OTP) sent by the credit card company to your phone.

If they have hacked your phone, or possibly your desktop, they might be able to access the OTP without you knowing.

Further discussion here

Someone added my credit card to their iPh… - Apple Community

discussions.apple.com
 
Last edited:
Can someone add my debit card to their Apple Pay and thus use my debit card without the debit card PIN?
I have 3 debit cards on my iPhone but don't have my credit card on it. I have just tried to add it.


So I took a photo of my card and confirmed that it had read the information correctly.
It then asked me for the CVC code on the back.
I entered it.

I then got



I then got this message





Edit: AIB sent me a One Time Passcode but I never saw it because the iPhone autofilled it automatically.
If someone else tried to add my card to their iPhone , they would not get the OTP.
 
Last edited:
So I tried to add a friend's credit card to my Apple Wallet last night. I got this message


And then I got this


So I could not add his card.

That was Avant Money.
 
What is puzzling me is the reports of people claiming that payments were made via Apple Pay on their Revolut card.

Nothing was stolen. Not their phone. Not their cards. They just wake up to find their Revolut account emptied.

Could someone who has a Revolut card which is not in their Apple Wallet or GPay wallet please add it and document the process.
Do they send you a One Time Passcode or do they just ask you to press approve on your phone?

Brendan
 
Last edited:
So I had a phone call with AIB security.
They were able to tell me that they sent me an SMS with a one time passcode at 9.15 yesterday morning.
And that they sent me another SMS 19 seconds later - which was presumably the one saying "congratulations, you are now set up on Apple Wallet"

But some autofill on the iphone put the passcode into the apple wallet.

Brendan
 

Serious security issue with popular mobile wallets (Apple and Google Pay)

Fraudulent transactions involving the most popular mobile wallets have been on the rise recently, and unfortunately Revolut is also heavily affected by this problem. In a nutshell: The malicious software called Financial RAT can monitor the users’ computer, waiting for them to enter card...
community.revolut.com

That post links it to hackers getting access via malware to the users computer, (or a similar android version https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/)

The reason for Revolut being more exposed is given as
"Revolut does not send any other notification (via email or push) to the user other than the mentioned 2FA SMS after the card is added to an Apple/Google Pay wallet."

The bricks and mortar banks may for PR reasons take the hit if through no fault of their own a customer is defrauded. They go belts and braces on security even if it risks annoying the customer.

An example of how neobanks security compare to traditional, a self selected PIN to open an app, which the neobanks almost always use, could be ok if the customer is careful - but as far as I know none of the main banks use that method since they assume the customer won't be careful - they'll probably mail you a fixed pin and you have to enter a random selection of the digits.
 
Very interesting but I don't fully follow it.

Is there a difference between Revolut and AIB for example, in the procedure which makes Revolut more vulnerable?

Does Revolut not send a One Time Passcode for adding a card? Or do they send it and the fraudsters can access it via the person's desktop?

Could this RAT be secretly on my PC without my knowing it?

Brendan
 
On the last point, BOI let you choose your own PIN for their app. You have to enter a random 3 of the 6 digits to access the app. I don't remember if they mailed a PIN and I changed though.
 
Brendan Burgess said:
Could this RAT be secretly on my PC without my knowing it?
Click to expand...
It's possible but if you take the usual security precautions (e.g. install operating system updates when available, run and keep updated a decent antivirus/anti-malware tool, enable background scanning and perform regular manual scans for malware, take care when clicking links or visiting potentially untrustworthy websites - if in doubt use incognito/restricted browsing mode first, etc.) then you should be reducing the risk of malware infection significantly.

For more on Remote Access Trojans (RATs) see here for example:

Remote Access Trojan (RAT) | RAT Malware | RAT Trojans | Malwarebytes Labs

Get everything you need to know about Remote Access Trojans (RAT) from what are they, the history of RAT, common infection methods, how to remove them & much more.
www.malwarebytes.com
 
@Brendan Burgess I just tried adding my revolut card to Apple Pay - it's similar to AIB/BOI - you get to either get a code via SMS to confirm, or approve within the revolut app (also with a code that the app shows you).

While it's possible that the user has a compromised computer, the reality is that most people just use mobile devices now. It is far more likely that the compromised users simply approved the addition of the the card to someone else's device - because they were told it was needed to "approve the payment" or were socially engineered in other ways.

Keep in mind that we only hear from the few where they had issues, not the ones where users did not succumb to a fraud attempt. In my reading of the regular Conor Pope stories, a common theme I see is vagueness on the part of the cardholder. (not victim blaming, but I think it's telling).
 
Last edited:
I tried it with Google pay and it is the same. I think you are correct. People see the notification to authorise it and just click ok to accept it. Maybe Revolut could make it more obvious what is going on.
 
Connard said:
People see the notification to authorise it and just click ok to accept it. Maybe Revolut could make it more obvious what is going on.
Click to expand...

No, that is not what happens. It's not just hitting a button to approve it. You have to enter a 6 digit code.

So while a busy person might inadvertently click "approve" , you would have to be very, very careless to actually input a 6 digit code without knowing what you are doing.

It would be interesting to hear from Revolut what their defence is in these cases.

Brendan
 
The user doesn’t have to input the code, they only have to tell the fraud perpetrator what the code is.

Given that most users are not particularly technically or financially advanced, and they had presumably just supplied the card number, expiry date and CVV to the site or person on the phone, I don’t think it’s too hard to see a subset of people further agreeing to hand over the 6-digit auth code. They may not be suspicious or have any idea what’s going on.
 
I was talking about Revolut. For Revolut that is how it works. Or at least that is how it worked with my phone. I don't have another phone to check it with so google pay was on the same phone as my revolut app. Maybe that affects it.
 
Innisfree said:
@Brendan Burgess I just tried adding my revolut card to Apple Pay - it's similar to AIB/BOI - you get to either get a code via SMS to confirm, or approve within the revolut app (also with a code that the app shows you).
Click to expand...

Connard said:
For Revolut that is how it works. Or at least that is how it worked with my phone.
Click to expand...

So which is it?

I suspect that you have to input a code. But if it's sent to the phone number which the card is associated with, then your phone autofills the code.
 
I just deleted my Revolut from Google pay to test this out. Was asked to upload a selfie. Then it got added in the Google pay app. No codes or anything.

But now it's on the wrong phone!
 
Aren't Apple also arguably culpable here if they are (by default?) automatically taking a security PIN from a text message and submitting it to an app/web form without any user input? That sort of automated behaviour seems to undermine the whole point of such security PINs.
 
Downloaded Revolut again on the phone I use google pay on, selfie photo required when logging in and code sent to phone that got entered automatically. Then for adding the card to Google pay, no selfie, no codes sent to phone for this part, it just got added with clicks.
 
I removed and added my Revolut card on Apple Pay again just to see how it worked.

I needed card number, expiry date, and CVC. I had to enter a one-time code via SMS and authenticate as well within the Revolut app. Then I got a notification from Revolut that the card had been added on Apple Pay.
 
You must log in or register to reply here.
Menu
Log in
Register