Apple Pay Fraud?

Has anyone ever experienced fraudulent payments against their Monzo Apple Pay (that were declined) that don’t show up in their Monzo app?

There are several like the one screenshot below which don’t show up in the Monzo app, and when I eventually got them to answer my support request and phone calls they couldn’t see anything wrong on their end.

Monzo have been completely and utterly useless in dealing with this and I’ve been left without access to money all Christmas, thankfully I’ve been able to use my partner’s bank card, but just really shocked that someone can be trying to use my Apple Pay in London while I am in Coventry or asleep, how does that even happen?

IMG_0900

1 Like

I’m fairly sure you’d have received a text saying someone’s added your card Apple Pay. They’d also need access to your phone to complete the verification.

Based on this I can’t figure out how this would actually occur?

Maybe the best thing to do would be to request a new card in the app.

On top of that specific account queries can’t be dealt with here so you’re best continuing the chat with support.

1 Like

I’m not sure if this is fraud or just a bug with the Apple Pay history given that the transaction doesn’t show up on Monzo at all.

I am going to try banging my head on Apple’s door tomorrow instead of Monzo’s and I don’t want to loose any log data by recreating the card, so I’ll wait.

I don’t really know exactly how it works but I understand that the ApplePay card has a different PAN to my physical card, I can only guess that somehow someone has cloned the ApplePay card details out of the air while I was using it or waiting to use it at a ticket barrier or card reader somewhere?

The other possibility is the phone is compromised somehow which is an unlikely and terrifying thought.

I have turned here because Monzo are being completely useless on the phone and in the chat, I am not looking for account specific information.

1 Like

@anon23935806 I would have accepted that except there are multiple transactions, and these are from real organisations and I got push notifications so at one end of the scale it’s card fraud, at the other end of the scale Apple or Monzo are sending the wrong push notifications to customers, either way, I suspect others will have experienced this before.

Could be that someone somehow ended up with your (old?) Apple Pay card number and is trying to use it and gets declined for no reason and you’re the one receiving the notifications (not sure how these work but at least part of them are handled by Apple)?

I’ll admit, despite using Apple Pay (very) occasionally, I’m not hugely big on understanding the intricacies of how it and Monzo connect together.

That said, if they are showing in Apple Pay transaction list but not in the Monzo app then it makes me wonder if they’re not making it as far as Monzo, hence why they know nothing about it and are “utterly useless” as you put it. Perhaps something about it is being blocked by Apple Pay before it can get that far?

1 Like

Yeah that is my thinking. The uselessness of Monzo has been around replacing my card and assuring me my account is safe.

They said they would prioritise a replacement but then this evening found out the member of staff responsible for replacing cards has been on holiday since last week and so all these promises they gave me about getting a replacement card were based on someone being in who wasn’t even at work. Which then leads me to realise they only have one person who issues cards, and then I realise Monzo got big and the great experiences of the past are long gone.

But focusing on the issue at hand, yeah just seems super weird, I tried researching others with similar experiences perhaps from other banks but could only see that there are a few poorly detailed security issues with Apple Pay in relation to certain poorly secured sites, but they’re dependent on accessing someone’s Apple Pay details via Wi-Fi somehow, all seems very theoretical, but not found many write ups of security issues with Apple Pay like this before.

I guess I’ll call it a night until I speak to Apple tomorrow.

It’s not possible to clone your Apple Pay card details whilst you are getting ready to use it - only a 1 use token is transmitted via NFC to the reader, not your actual card details e.g. card number etc.

3 Likes

I’m not sure how Apple Pay notifications work (as in the notifications in the Wallet app, not the ones sent by Monzo to their own app).

My understanding is that they’re handled by Apple and presumably routed based on the virtual card number, and my theory is that Apple believes someone’s Apple Pay card is somehow yours and so sends them their notifications, despite the card obviously not being yours and why the Monzo app itself doesn’t show anything.

Unfortunately all of this is behind NDA (security by obscurity and all, any why compete fairly by offering a good product when you can rely on obscurity to waste potential competitor’s time) but maybe @Rika can explain what’s going on.

In any case, no point in replacing your card as long as the Monzo app itself doesn’t log these transactions, so just use your next card as normal and disable notifications for the Wallet app until this is resolved.

I thought it would have flagged if a transaction was attempted with your Apple/Google pay virtual card if it was manually entered into a site or a cloned NFC transaction was attempted when you device wasn’t unlocked /screen on .

But someone having your Apple pay pan makes the most sense to me, and that’s why monzo wouldn’t have the foggiest what’s happened.

If it was just a bug and it was someone else’s card then it’s unlikely all of their transactions are getting declined imo

Maybe the decline thing is generated client-side because the phone itself obviously didn’t do the transaction and is like “WTF”, and default to a decline for the lack of a better option?

The security vulnerability described exactly this issue that a token could be used multiple times of a website wasn’t secured properly. Maybe this was it. Still seems unlikely.

This is a weird situation for sure. Will let you folks know.

1 Like

I’ve seen this kind of thing once before and I believe the issue to be a bug external to us.

As I’m not going to be around at work for another week or so, could you ask support to escalate the issue to the Payments team at my request with a link to this community thread? I’ll fill somebody who is in the office in on what I think it might be. :slightly_smiling_face:

22 Likes

If the transactions aren’t getting as far as monzo then there isn’t a lot they can do. I’d disable apple pay completely if you think it has been compromised until you can get apple to change the number (which is different to the monzo one).

Huh. I’d love to know what’s causing this when you find out. :thinking:

1 Like

As far as I know when u re add a card to Apple Pay it generates a new device card number

This is done from memory, when i did some research into how mobile payments work:

Apple Pay is done via tokenisation, and every time you use Apple Pay a new token is generated which is associated with the secondary PAN number (The Number you see in Apple Pay). (also known as a DAN)

In order to enable tokenisation a Secure Element is needed to be built into the device very much similiar to a TPM chip found in Laptops and Desktops. There is NO WAY to derive a card number from the Token, as seperate they are useless, you can not clone Apple Pay or Google Pay access

In order to add a card to Apple Pay using the Physical Card, then the card network issues a token otherwise known as a DAN (Device Account Number) and a token key, the information is sent back to Apple and then it is saved in the Secure Element.

Apple Press release states " “Each transaction is authorized with a one-time unique number using your Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.”

Now that some banks allow you to add a card to your device before the physical card, it could be that someone has your credentials possibly to your email service, which would then allow them to find out your bank (if you have kept sign up emails), which allows them to recieve the magic link, and login to your monzo account, and thus add the card to apple pay.

7 Likes

The issue with the later part of this is that the password for me email provider is very long and has 2FA enabled and there are no “unusual sessions” in the list and I am fairly sure magic links only work once and replace each other when issues.

1 Like