我也遇到过类似的,而且毫无理由,我甚至都没用用过。没用过实体卡,没网上刷过,只有几次苹果门店线下apple pay过
结合最近chase ihg被疯狂盗刷来看,新卡还没到手就已经被盗刷,估计盗刷者已经开发出逆天科技了
信用社会支付系统的核心key就是卡号
外围信息只是喂给风控系统判断用的,可能找到什么法子绕过了风控系统
我之前一直以为 Apple Pay 是不怕任何卡号泄漏的。这个盗刷也不是用的 Virtual Number
常看 Statement 还是很重要的
我觉得你对。
Apple Pay产生的Token(卡号)是不会变的!除非删卡!
设备卡号+有效期可能足以满足风控要求。
GPT (o4-mini-high deep research) 是这么说的
Even if an attacker somehow got hold of your 16-digit Device Account Number (DAN), that alone isn’t enough to push through a “fake” Apple Pay charge. Here’s why:
- Every Apple Pay transaction requires a one-time cryptogram
- Alongside the DAN, your Secure Element generates a unique, transaction-specific cryptogram (an encrypted MAC) that ties together the DAN, the merchant’s terminal ID, the transaction amount, and a cryptographic counter.
- The bank or network will reject any authorization request that isn’t accompanied by a valid cryptogram. A replayed cryptogram from a prior transaction will also fail, because the counter and merchant data have changed.
- No static CVV or expiration for the DAN
- Unlike a traditional card number, there isn’t a fixed CVV2 or expiration date attached to the DAN that an attacker could present in a CNP (card-not-present) scenario.
- If someone tried to treat the DAN like a regular PAN—for example, by typing it into an online checkout—they’d also need a matching CVV and expiry, which simply don’t exist for a token.
- Banks verify the dynamic code
- On receipt of an authorization request, Goldman Sachs (as issuer) or the network checks the cryptogram against what the Secure Element on your phone would have produced. If it doesn’t match, the transaction is declined—even though the DAN looks “legitimate.”
- In practice you’d need the Secure Element’s keys
- To generate valid cryptograms yourself, you’d have to extract the secret keys from the Secure Element and replicate its EMV-level hardware. That has never been done outside of a lab—and certainly isn’t possible over the internet.
Bottom line:
- DAN + cryptogram → valid Apple Pay transaction
- DAN alone → useless—the bank will spot the missing or invalid cryptogram and refuse the charge.
So no, even in theory you can’t charge against your DAN and fool the issuer into thinking it’s a genuine Apple Pay tap unless you also control the Secure Element’s secret keys (i.e. unless you completely break Apple Pay’s tokenized EMV system).
问:But Goldman Sachs, in theory, might approve this auth request, if their design is flawed, correct?
Yes—in theory, if Goldman Sachs’ authorization systems were bugged or misconfigured so that they only looked at the DAN and ignored the dynamic cryptogram check, then a fake auth request carrying a stolen DAN could be approved. Any payment-network design is only as strong as its weakest implementation.
However, by specification and in practice:
- Cryptogram verification is mandatory. Every Apple Pay tap must include a one-time cryptogram that your Secure Element signs. Issuers (like GS) and the card networks always validate that cryptogram before approving a charge.
- Regulatory and network rules require it. Both Visa/Mastercard and PCI-compliance rules disallow processing a token-based transaction without checking its cryptogram.
- No known issuer skips this step. There are no credible reports of Apple Pay issuers accidentally approving tokend-only requests.
So while a flawed or maliciously altered issuer system could hypothetically skip the cryptogram check and approve a DAN-only request, Goldman Sachs’ live Apple Card service does enforce cryptogram validation, which is why DAN-only replay attacks have never succeeded in the wild.
不排除是高盛那边有问题。如果这一波 Apple Pay 只存在 Apple Card 上但不在其他银行上,那就是高盛/Apple 的问题了
1 个赞
主要是换了卡号后续 recurring payment 也是有可能成功的店中店踢皮球 apple card不应该是很安全的吗怎么会被盗刷
根据我目前的研究,Apple Pay 很安全,Apple Card 不好说,因为我已经是受害者
如果距离很远,lz立刻下楼用apple pay刷个麦当劳,应该能证明设备在你自己手里而不在加州
那张卡已经被删了,现在的是重新添加的 Apple Card
显示卡号是5xxx不代表消费就是5xxx,其他设备应该也是当前的设备号。你有申请实体卡没,会不会是磁条被复制了
不是的,其他设备上看这个有问题的 transaction 记录也是 5XXX,并且用其他 iPhone 刷的 transaction 记录里也正确显示其他设备的 Apple Pay 尾号
实体卡,每个设备上的 Apple Pay,Virtual Card 都有不同的尾号,transaction 记录里也都能正确显示不同方式的不同尾号
看了一下这个人的也是最近盗刷的,估计也是 Pending,还没 Post。不排除是
可能是别人的交易错误的显示在了我的手机里。调研了半天,假定 Apple Pay 确实如白皮书所说的安全的话,感觉卡 Bug 这个反而是最有可能的。没准过一段时间数据库自动对账,然后这笔交易就消失了
卡bug太离谱了吧,我感觉概率更低了。而且那个南非币不像是正常会出现的交易啊
在加州用南非币交易才是更不可能的事情了吧 
听起来像bug
不是的,我又发了一个案例,你往上翻翻,那个应该是南非本地刷的
1 个赞
也不排除盗刷发生在虚拟卡号上,但被错误归类为 Apple Pay 了
至少应该不是可以用在我手机上的 0 day。这种能破解 Apple Pay 的 0day 一般是价值千万的核弹级武器,且是一次性使用。不会对我普通人下手
2 个赞
嗯,我猜也是这样。现在看来被盗刷的不少,所以应该不需要太担心钱回不来
我觉得就是 mastercard 的问题。最近大量中招 chase ihg, freedom flex,和我个人屡次中招的 HSBC premier debit,and 这个 apple card 无一例外都是 mc。
1 个赞