Fraudulent Charges to Apple.com/bill

Perhaps someone can explain how the following is possible; either way, let this be a warning.

I noticed a group of unexpected charges on my wife’s AmEx card for “Money added to Apple Account” in $10 and $20 amounts. The receipts listed an unrecognized Apple ID.

Here’s where it gets really weird: The AmEx number being charged had been cancelled due to fraudulent activity at least a year previously, but the charges were appearing under her current number. The first batch were ostensibly via PayPal even though that card number was not associated with PayPal. And another set of charges came through after I had removed any AmEx cards from both PayPal and her Apple ID.

Apple says it will reimburse 18 of these charges but not all. Some are too old and must have slipped by me. They will ban the old, cancelled number but the agent couldn’t explain how Apple was placing charges on a long-cancelled card.

Any thoughts?

Something similar happened to me a few months ago with my Citibank Visa. Several weeks after I had Citibank cancel a card and issue a new number because of fraudulent charges, a charge appeared that looked like it was from Apple. When I called Apple, the rep verified it was an actual charge, and he confirmed it wasn’t from any Apple ID of mine.

When I called Citibank, the rep explained that some criminals will set up Apple IDs using stolen credit card info and save it for later. They’re taking advantage of the fact that when Citibank cancels an account number, the info with merchants for which you have recurring charges set up is automatically updated with the new account information. This is so you don’t have to go through the trouble of updating your credit card info manually. It sounds like Amex may have done with the same thing with your account.

7 Likes

Welcome, Daniel. I may be missing something, but the way you describe the problem, it sounds like an AmEx problem, not (or at least, not so much) an Apple problem. AmEx is the vendor who permitted the charges to a cancelled account. Have you taken this up with them?

2 Likes

Conrad Hirano hit the key point, I suspect.

There is an unfortunate loophole in this. If someone “cancels” a card number and is issued a new one, who gets auto-notified of the changes and what are the criteria?

While not exactly the same thing, one client of mine permanently terminated their Amazon account with an agent because someone kept getting access to it, purchasing and shipping items despite multiple password, email and info changes made by agents while the account was “locked” to outside access.

Conrad is almost certainly exactly correct. This is a loophole being exploited by criminals across the board, not just with Apple.

1 Like

Are you saying Citi auto-updates to the new number and continues accepting the old number? That sounds like malpractice, not a loophole.

The AmEx rep said she was banning the old number and nothing I’ve seen tells me the crook is using the current number. I’ll update this if there are further hijinks.

Thanks to all for your thoughts.

From my understanding, it’s not the actual account number. When you set up a recurring charge, the bank provides the merchant with a token which is used for authorizing future transactions. When bank issues you a new account number, it can choose to invalidate those tokens or not to. Citibank by default doesn’t because these days many customers pay many bills using their credit card, and it would be a hassle to have to update their info with every merchant.

Not knowing how this all worked, I was quite alarmed when the fraudulent charge from Apple appeared only about month after getting a new account number. I asked the Citibank rep how the miscreants could have already gotten my new number since I had maybe used it just once or twice. That’s when he explained about the tokens. He issued me yet another number, but this time, he had any existing tokens invalidated. I haven’t had seen any fraudulent charges since.

5 Likes

Yup. I did misunderstand. Actually, I was unaware of the “token” system Conrad (@chirano) subsequently described. I guess the bank for my Visa account (Chase) doesn’t use that system, since I need a new number every 18 months (it seems), and I’ve never had my recurring charges updated automatically. I keep a list of them all, and go through the process of updating them all by hand. Chase also maintains a list of vendors who have notified them they have saved my number for a recurring charge, but apparently that’s voluntary (on the part of the vendor), as my list has more entries on it than theirs. After reading this thread, I’m actually glad it doesn’t auto-update!

My experience with Visa/Chase was the same as @fischej. I had to update my accounts manually…including Apple.

What I don’t get it is why in the world any tokens would not be invalidated when you cancel your CC due to fraud and get a new CC number. I get that when your card runs out and you get a new card, you’d want recurring payments to continue as if nothing happened and that’s neat. But why in the world would you want the same behavior when you’ve become a victim of fraud? If anything, chances are the fraudster will benefit from it. I’m glad to be hearing about this. When I next time have to cancel a card, I’ll be sure to get them to commit to invalidating all tokens associated with the old card. I’d rather have to update payment info on 3 websites vs. having to deal with fraud over and over again. On principle alone.

4 Likes

That was my reaction too. I guess it’s a numbers game. If the problem is rare, then Citibank might consider it an acceptable risk to not invalidate the tokens to save its customers the trouble of having to update their info all over the place.

This seems like a perfect place for the credit card company to offer us a choice: Opt-in to auto-update or do it by hand as your vendors notify you that payments didn’t go through. I know which way I’d go.

1 Like

This makes me wonder how Apple Pay works. My understanding is when you use it the merchant gets a token and never sees the card number. So I have wondered if apple pay is less susceptible to misuse. Does it protect the card no? Just the apple card or any card? I wish there were a way we could get a single-use token number for a credit card when we buy stuff on line. Give the merchant the token id and not the card number. Make use of the card number itself highly suspect and harder to do.

The latest iOS gives you the option of having your security code (the one you use when you use Apple Card as a card) update regularly in an automated fashion (“Advanced Fraud Protection”). That’s not as good as tokenizing every transaction obviously, but it does prevent scammers from using credentials that get leaked from bad merchant sites.

That’s exactly how Apple Pay works. It’s a one-time code that only works for that particular vendor and transaction. The vendor never gets your real card number.

Though I’m not sure how it works for subscriptions, which is what we’re talking about here.

Apple Pay generates (via your bank) a virtual card number. The merchant you buy from sees that number instead of your real card number.

There is supposed to be some kind of encryption-based security that prevents this number from being used by any device other than the one (phone or watch) that generated it, but I don’t think Apple has published anything about what that security actually is.

I assume it’s some variation on the EMV security protocols used by chip-cards and contactless cards. There is a card number different from the one printed on the card that is cryptographically secured using one-time pads (OTPs), similar to the “TOTP” codes used for 2FA authentication - they are only valid for the one transaction, making replay attacks impossible.

There is still the concept of a token that the bank sends the merchant, however. This is why they can process a refund or a recurring subscription charge without requiring you to present your card (or phone) each time.

2 Likes

Thanks for explaining that. Now, if only I could get that one-time-use code myself, so I never have to give out my card number to a merchant again. About once a year I have to replace my credit card because someone uses it at amazon or verizon or best buy.

It’s not a single-use credit card number, but a one-time encryption key generated at the time of the transaction.

If you want a single-use card number, contact your banks. Many banks offer this. You generate the number via the bank’s web site, along with criteria for it (e.g. credit limit, number of allowed uses, etc.) If yours doesn’t, you may want to ask them for the feature.

1 Like

Agreed! We have had problems with companies getting auto-update that we never asked for.

I ran into this myself as I got more involved with managing my parents’ finances as my father’s Alzheimer’s progressed. Although he had a long career in technology, he could no longer gauge the validity of a website he was ordering from.

It took me some time to realize that replacing cards wasn’t helping the situation, especially when fraud showed up on a replacement card before we had even received it. I ended up canceling some of the cards and replacing them with new credit card accounts.

And I ended up getting him a Citibank Double Cash Rewards card. It offers 2% cash back, plus the ability to generate virtual card numbers on the website. I kept the actual card and website credentials, then gave him a virtual card number to use online. If/when a virtual numbers is compromised, I can just disable it on the Citibank website and switch him over to a new one.