Hacked Credit Card Apple Pay

Back in July, I went to use my Virgin Money Visa Credit Card only to find it declined the transaction. Further to my checking, I found it had been maxed out, filled with dozens and dozens of fraudulent transactions, all made in another state to the value of $31,000.
A call to the (overseas) call centre had the card stopped, new card issued and the transactions reversed while it was investigated.
2 months on and I find my card maxed out again. A check of my account found all the fraudulent transactions had been charged back to my card.
I was straight on the phone to the call centre and to my horror found that all of these fraudulent were charged back to me because the investigation was NOT found in my favour. All of the transactions were made with Apple Pay and because of this, they are regarded as authorised transactions. Even though all of these were made in Melbourne, while I live and reside in Sydney made NO difference to Citi Group. It seems that Visa’a Zero liability for unauthorised transactions doesn’t apply here.
I have lodged a complaint with AFCA, but from reviews I see don’t hold a lot of hope.
This is a real concern if my card details can be copied and some how loaded onto a hackers phone to have a spending spree using Apple Pay till they max out the card. I was led to believe that banks were watching for unusual spending on Credit Cards and would contact the consumer to question it.
It seems in an effort to make card transactions more secure, has give the consumer less security and rights when it comes to fraudulent activity.


Hi @Hardyplank, welcome to the community. I sympathise for the predicament you are in as it must be very stressful and worrying for you.

It seems strange that you had a Virgin Money Visa Credit Card which had unauthorised transactions. A new card was issued, which in effect prevents any new transactions on the old card…but a similar event occurred with the new card.

It sounds like you have given your card credentials to someone who used them or they have been ‘stolen’ from someone you have given your card credentials to. Another words, it sounds like you have been scammed or your credit card details have been obtained in a hack. The later option is unlikely as two similar events occurred in effect with two separate card credentials.

Can you remember who you have given your card credentials to…say over the phone or for an online transaction?

If it was over the phone, what was it for and who contacted who (did you engage with/call them initially or visa versa).

If you have bought something online (a product or service, cryptocurrency, etc), was it from a recognised renown retailer/supplier or a new business/website you found (such as one advertising something cheap which was too good to pass up)?

If you have knowingly given out your credit card details and have been scammed, it is possible that the

as it could be seen that you provided your card details to be used, thus transactions were in effect authorised.

It would be worth going back over the period since your new card was issued and identify exactly who you gave your card credentials to. This might provide some clues to how your credit card was obtained by criminals and used.

They do. Our own bank, like many others, have systems that monitor for unusual transactions. This includes unusually large transactions, transactions instigated overseas or to known scams (e.g. buying something from a known scam website).

If the transactions are small and could be seen as being reasonable (such as making purchases in Melbourne when one lives in Sydney), then these are less likely to be flagged as suspicious. If such transactions were flagged, then there would be a significant number of genuine transactions which would be flagged resulting in significant time to resolve/process. It is also worth noting that scammers/criminals try and find ways to bypass checks and controls in place, to maximise their ability to have the transactions processed.

You may have answered your own Question.
Is the issue here not with your Virgin Money Visa CC but with Apple Pay?

The fraudulent transactions have somehow replicated your Apple Pay credentials. Apple Pay has subsequently debited your Virgin Money Visa CC. Even though Visa had looked to the transactions, they can only look to the Apple Pay link and reinstated them on your account for which they have provided a new card.

Should you be looking to Apple and how your Apple Pay service has failed?
It may seem a small,step. Are Visa responsible for how Apple Pay uses your credentials? According to Apple Pay they do not store or access your CC credentials. I’ve always considered Apple Pay to be bullet proof as it uses your mobile device to authorise each payment. Proof at least for Visa to consider the purchases transacted by Apple Pay to be properly authorised.

Forbes offers up the following that leaves me more confused, than able to offer a solution?


Wow. A fine mess to try and get resolved. My sympathies.

First of all your card issuer is Virgin Money, a wholy owned subsidiary of Bank of Queensland. You are their customer, and should deal properly with clearly fraudulent use of your card. They seem to have by issuing a new card, and taking up the disputed charges with the the other party, the merchant.

Not sure where Citi group fits into this but the merchant would be whomever makes a charge on your card. In this case it is Apple, and someone using their application on a phone who has somehow got your full card details.

The facilitator of the transactions is Visa.

You have disputed the transactions as not yours. Pretty good argument that as the transactions originated from a different state, they were not yours.

Your issuer, who is supposed to be on your side, has reinstated the disputed transactions onto your new card after apparently accepting that the merchant side was authorised, by you.

I would go back to my card issuer and dispute all the transactions again, and again. Since they are using the Visa network, they have to abide by the Visa rules, as does the merchant side.

Visa will be the arbitrator of a final decision if an impass ensues.


Just to clarify, the event that happened to the new card was Virgin Money reissuing the fraudulent transactions back onto my account. The transactions were all amounts ranging from $500 to $1200.
I can only think that some how I’ve had me details collected through a scam of some sought.

Citi Group were the issuers of Virgin Money CC at the time of the incident. Bank of QLD has since taken over Virgin Money.


Apologies, misread your earlier post.

For someone to be able to load your credit card details into Apple Pay on their phone, they need to have your two factor authentication code. If you can’t remember where you may have handed over your credit card details, you might remember if anyone asked you for your two factor verification code. This could have been someone you spoke to on the mobile saying it needed to be given to verify who you were. Once someone has the two factor authentication code, they can activate the card in Apple Pay and go on a spending spree with limited traceability.

If you gave out your two factor authentication code, then this might be why the transactions weren’t considered unauthorised.


That sux. :frowning_face:

If nothing else, can you get your credit limit reduced way, way down?

If the fraudster is going to keep maxing out your card then the card is no use to you anyway.

Some people I know have more than one credit card, with at least one of the cards set with a really low limit (e.g. $1000), and that card is the one they use with (potentially) scammy web sites and the like i.e. card-not-present scenarios - and for other low trust low value scenarios. (This may then require paying off the card early, for legitimate transactions, so as to keep the available credit up.)

They do - although the systems will vary from bank to bank, and also, because “unusual” has no exact definition, success will vary from case to case.

It is possible that the changing landscape of credit cards, where credit cards are operated on your behalf by third parties (like Paypal or ApplePay), may make it harder to detect unusual activity.

Personally I would not consider a person who resides in Sydney taking a trip to Melbourne and making in-store transactions there to be unusual. Melbourne is not Mars. Whether the total amount is unusual for you only you can say.


Believe me, If I can offer any advice it is,

!. Only have the minimum credit limit that will let you function day to day.

  1. My new CC from a different bank offers a transaction limit function which I have activated.

  2. Check your bank accounts activity, every couple of days. Daily would be best.

  3. Have spending notifications turned on, so you get notified of all transactions.

  4. If in the slightest bit of doubt, ask questions. There’s no such thing as a dumb question, It could save you a lot of drama.


Well, yes, even on my normal card I have a modest credit limit (way way below yours).

Card issuers don’t exactly encourage this. In fact, they not only push high limits, and push you to increase the limit from time to time, but they default to high limits.


Correct. If I had a dollar for every time, I received a letter telling me that I can have my credit limit increased, I’ll be able to pay out this problem.


So in this whole time you never once got an email to tell you a transaction has been made from your card. It seems strange because I have Apple Pay and every time I use it I’m emailed the amount date and time. I also have it linked to my bank and any suspicious withdrawals or a lot of them the bank frezzes the account and email me. Why haven’t you been emailed, or at leased received an on line statement of the transaction


Correct. First I found out about it was when my card was declined because it was maxed out

What type of transactions were those you did not authorise, over the counter or online or both?

I’ve not taken up the Apple Pay option. How it appears to function. Others may help out.

Apple Pay requires your Apple Pay authorised Apple device to transact using a linked CC account.

How does your CC provider know with certainty that the transactions were actually authorised by Apple Pay?

Assume the transactions @Hardyplank did not authorise were made with Apple Pay as the previous posts suggest. Apple Pay should be able to match the transactions uniquely to @Hardyplank device.

The merchant banking system and CC provider have agreed to accept Apple Pay as a secure method for payment. If it has failed as suggested is it in their best interests to find out what has really happened?

As Apple describe it the system of security is more involved than simply loading a CC number onto a device.

EG to set up a account with Apple Pay.

Information that you provide about your card, whether certain device settings are enabled, and device use patterns — such as the per cent of time the device is in motion and the approximate number of calls you make per week — may be sent to Apple to determine your eligibility to enable Apple Pay. Information may also be provided by Apple to your card issuer, payment network or any providers authorised by your card issuer to enable Apple Pay, to determine the eligibility of your card, to set up your card with Apple Pay and to prevent fraud.

Unfortunately the design of Apple Pay is such that Apple do not keep any record of the transactions it is used to authenticate?

Curiosity asks how easy is it to add a CC that is not yours to your Apple device. A further question is how reliably does Apple assure one’s Apple ID associated with a device?

All I needed to provide for primary ID when I entered the Apple-verse was a working email address and a valid CC. In fact certain other details are not exactly as they should be, and the original email address which is my ID no longer functions for email. You can set a new and different email address for communication with Apple, but still log in using the original email as an ID. Email providers come and go, something Apple provides for.

Perhaps there is a flaw in how Apple Pay and the CC providers authorise the additions to their universe? IE they do not protect against fraudulent duplications,

1 Like

@Hardyplank has indicated that it wasn’t his phone.

@Hardyplank credit card details were loaded onto the criminal’s phone and used for transactions. The phone used could have been stolen or a burner phone…or payments made online.

Please refer to my previous post about how this could have occurred:

1 Like

The question is how is that to be proven, given how the system is configured?

I did. Apple’s description of the process followed does not mention 2FA. Assume that it does. Critically a 2FA is only valid for a very short period of time. It may have transpired in a way as you describe. It is not necessarily the only way it could occur.

Does your assumed method require the fraud to add another device to the same Apple ID? If it does it should be evident to @Hardyplank by logging into their Apple account. The window of time is narrow. That there is no transaction history reported to @Hardyplank Apple Pay ID suggests the card details may have been connected to a different ID, and just not an added device.

I’m suggested an alternative that assumes Apple will accept a credit card already associated with one ID being registered with a different ID. Note Apple don’t keep any of your personal details or CC details when a new Apple Pay ID is created. Hence how could Apple ever associate a new request with a previously connected CC Card. Conversely the CC provider relies on the details Apple Pay provides on account setup. Whether this is for the original device or a new device, how does the CC Provider know who is the device owner? It can only rely on the CC holder details provided. The assumption is Apple are responsible for knowing the ID of the device owner. My experience is this can be unreliable.

For @Hardyplank there may be a piece of missed email or SMS from shortly before the unexpected transactions commenced that offers a clue. If not it seems unlikely the unauthorised transactions have occurred through @Hardyplank Apple Pay ID. It’s an alternate ID to which the system has added the improperly obtained CC details. Neither Apple nor the CC provider have adequately verified the new ID or users authority to attach the improperly obtained CC details.

It’s just a thought, that may explain why @Hardyplank has hit a barrier with getting the fraud recognised.

1 Like

Well the bank has made a final good will offer of $1000 credit which I declined as unsatisfactory.
The matter is now to proceed to a AFCA case manager. I’m trying to be optimistic, but from reviews I’ve read I not holding my breath.

1 Like

Here my thought, anything to do with Banks, Credit Companies, Apple Pay, PayPal, etc should all be done on a desktop in the privacy of your home, not a mobile phone out in the open, you are asking for a world of hurt and people think mobiles are secure, they’re not as secure one would think and neither is Wi-Fi, as some techie make out.
Both the iPhone and android are hackable by pros, and the hackers are one step ahead or behind both Google and Apple. Nothing but nothing personal should be on your mobiles, stop banking on your mobiles, period. If you have a visa card etc with “RFID Chip” then secure your visa/master card in a wallet or purse with RFID blockers as the mobile RFID readers are abounded skimming user credit data from these chips. These devices are very small and powerful. Stay safe.