Update on Apple Pay / bank - Fraud (UK)

There is nothing suspicious in the approvals for each transaction. A unique approval for each transaction is standard as is the ARD/ARN (Acquirer Reference Number).

There really is only one way you’re going to prove your case. Each Apple iPhone that works with Apple Pay has a unique SEID (Secure Element ID). Apple has encrypted data on their servers that know the SEID of the device used to approve the transactions in question. The issuing bank can confirm the SEID of the device that was used.

Apple will generally cooperate with investigations, but it takes a court order. Have you filed a police report?

I don’t see where anything has changed from our previous conversations.

Your wife’s debit card number/details were skimmed. The fraudulent actors added you wife’s card details into their Apple Wallet and the issuing bank verified and added the card to their Apple Wallet. Scammers then used the virtual number to purchase or reload prepaid debit cards. This is very typical fraud these days. I’m sorry you’ve experienced this.

Any recovery of funds will come from the bank that issued your wife’s debit card. They verified adding the card to the scammer’s device and authorized the transactions that took your funds.

OK, let me explain tokens to you. Tokens might be considered the backbone of the Apple Pay system. There are basically 6 types of tokens. Not all are used at the same time. Several are always used, as you’ll see.

The first is the DAN (Device Account Number). DAN is a unique token for each card in your Apple Wallet. Here are a few key concepts.

• Replaces your actual card number when making purchases.
• Stored in Secure Element (hardware-based secure chip) on the Apple device.
• Used for in-store (NFC) and in-app purchases.
• Looks similar to a credit card number but is unique per card/device.

The second is the Payment Token. It’s a complete data package that includes encrypted payment information. It includes the DAN token.

Payment Token is used during a transaction to provide payment credentials securely to the merchant/payment processor. It’s transmitted via NFC through the merchant’s transaction terminal. The Payment Token contains the following:

• The DAN (Device Account Number)
• A cryptogram (dynamic security code)
• Transaction-specific data (purchase amount, merchant ID etc.)
• Merchants and payment processors to authorize the transaction. Merchants and their card processor use this information to approve or decline the transaction.
• A cryptogram AKA dynamic security code. The dynamic security code changes for each transaction and can only be used for one transactions/payment. It has a limited lifetime or its voided.

The third type is Cryptographic Token (Cryptogram) and it may be included in different data packages. A one-time-use dynamic cryptogram.

• The token is used to authenticate the transaction originated from the user’s device.
• It’s unique to each transaction.
• Prevents replay attacks and fraud by ensuring tokens cannot be reused.

The Merchant Token is the fourth type and is a token used to represent a payment method (card) for a specific merchant.

• Used primarily for recurring or card-on-file payments such as subscriptions. I usually refer to merchant tokens as subscription tokens because that’s how most Apple Pay users encounter them.
• Helps merchants securely store a representation of the card for future charges, without storing real card data. This protects the card holder against data be lost if the merchant is hacked.

The fifth and sixth type are Transit Tokens and Express Transit Tokens. They don’t apply here so I won’t go into details.

Your situation involves either Payment Token or Merchant (subscription) Token. If the token used was setup on a prior date it was a Merchant Token. Merchant Tokens expire but not within the time frame you’re experiencing. Merchant Tokens are reusable to facilitate additional transactions.

So, your wife entered the data on a fraudulent merchant website. A merchant token was issued. A small trial transaction was successful. The scammers used the merchant token at a future date and transferred funds from your bank account.

Some banks use a velocity detection algorithm to slow or stop transactions like what was used to partially drain your account. Some banks believe velocity detection/prevention causes friction (upsets customers) and don’t use it or set higher amount thresholds.

There are several discrepancies you’ll need to get straightened out.

The PAN Entry Mode - Apple Pay e commerce

This might indicate a Merchant Token (subscription) was used, or indicate that the cards virtual number was entered online. The bank or the credit card processor would know for certain. Everything indicates a merchant token was used, and suggests and the bank is saying it was generated in September 2024.

Has the bank confirmed it was a card on file transaction? If so, how is a card on file token used for a cash transfer (or purchase of) prepaid debit cards? A would think the bank would flag a transaction like that and decline transactions. A simple velocity algorithm should have stopped the transactions too. I would definitely switch banks after this.

I don’t know how the works in UK, in regard to liability for fraudulent charges. But generally, in the US, credit cards are a better choice than debit cards, except for cash withdrawals. I go inside the bank to do cash withdrawals with a debit card. I don’t use ATM’s and never use a debit card at remote locations that aren’t closely monitored, such as gas stations. Convenience stores are next for sketchy locations. I’ll walk into a grocery store or more closely monitored retailer to do business or make small transactions.

Fraudsters don’t always do a trial of a card and if they do it can be weeks or months after the card is initially compromised. Compromised card details are frequently sold on the dark web and weeks, even months can pass.

The transaction on the 21, that generated the token that was later used, was issued by what merchant? Merchant ID is associated with the merchant or source of the token and would be recorded when the token was used in March. Who issued the token?

It’s odd the time gap, it’s as if they knew how to avoid any velocity protection the bank had in place.

Contact Apple Pay support via phones ~ They are not available on the chat don't waste your time at the chat support go directly on the phone support here's the contact number that you can call on your location : Contact Apple Support - Apple Support

Hi Jim, you’re welcome!

Merchant Tokens in Apple Pay, used for recurring transactions or card-on-file transactions are not stored on the user’s iPhone or by Apple. Instead, they are stored by the merchant, their payment processor, or Token Service Provider (TSP) and they represent a secure, tokenized version of the customer’s payment information.

The merchant would typically store it on the backend system and the payment/card processor and TSP would likewise have it stored on secure systems and not connected to internet

The tokens are associated with the specific merchant that requested it. They are also encrypted and I don’t believe the merchant has the key.

Yes, the merchant sets up the payment as a subscription or recurring payment. Merchants can specify a limit or expiration to the subscription/payment such as one payment or say three payments as a way to finance purchases, a future date etc.

The merchant typically has the option at time of subscription setup to request payment details. I’m not sure what specifically is disclosed to the merchant. I can look it up if you’re interested.

You might find this blog post interesting.

It’s the best description I’ve been able to find on the “public ‘net” re: Apple Pay’s technical workings.

(i.e. A source which is “internal” to the payments industry)

That said it still required several “re-reads” on my part before it all really soaked in.

Additionally, it still fails to discuss how recurring charges are “processed.”

https://codeburst.io/how-does-apple-pay-actually-work-f52f7d9348b7

Apple Pay works with merchants. Whatever these payment cards are wouldn’t be associated with Apple Pay.

I have a small merchant account for a specialized travel service business I own. I can be paid using Apple Pay. When someone uses tap-to-pay (Apple Pay) funds are almost immediately deposited into my merchant account, setup by the credit card processor. It works essentially the same way when they use my online store or pay an invoice.

I’m not understanding where the 5 payment cards come in to this.

So who is the merchant? Apple Pay can be used to purchase prepaid debit cards. But Apple Pay can’t be used to reload a prepaid account. Your bank statement should list the merchant.