Daughter's Debit Card Was Used Fraudulently Last Night $3,000, She Only Ever Used Apple Pay?

Last night my daughter received a txt from Commbank that her account was overdrawn. When she checked there were 8 transactions which started with $1 in a Woolworths in Sydney then others up to $699, all totalling $3000.

It took 2hrs 10min to get on to the bank after 4 disconnects and messages try again later, at 10pm (SA time) we finally spoke to the bank. The transactions were still pending and had to go through before they could be disputed, I advised this is fraud and nothing to dispute never the less the bank has 10 days to respond.

My daughter rang all the places in the morning and managed to cancel some transactions, one was a mower place in QLD. One local SA store provided as with the click and collect invoice, the name and address might be fake but the mobile number is correct as they notified him the order was ready to pickup. One store turn him away he looked dodgy and couldn't provide id.

My daughter never used her physical card and doesn't carry it around, it was linked to her apple pay wallet app so how does one get the card number, expiry date and CCV to make purchases online?

EDIT: The store that thought he was dodgy, took down his car rego

EDIT: 19 Aug 2021

The police ran the rego said it’s registered to a known criminal lives out north so they’ll go to autopro and review the footage of him collecting the order using the card for payment!


  • +10

    Any chance she's used it online just with inputting the card details? Not every platform allows for Apple Pay online

    Any instances where she's had to fill in a form for debits off the card? - gym memberships etc

  • +7
    • +1

      Could be !

      They call centre said they had 800% increase calls last night!

      • +2

        The police ran the rego said it’s registered to a known criminal lives out north so they’ll go to autopro and review the footage of him collecting the order using the card for payment!

        Wow, next time I want to commit a crime, I will remember to check ozbargain

    • +2

      Meybe OP daughter was caught by the same where you get an SMS with missed message, and where you have to download an app. That's for Android, but maybe you can have apple pay on android too.

  • I had about $2500 put on my St George CC on Sunday night. I called all the retailers at 9am and got all the orders cancelled. Most retailers are refunding me directly, but not JB Hi-Fi, screw them. They have cancelled the order but won't refund the payment method, WTF? I have to do a charge-back which will take ages.

    My computer has very good security, I know how to be secure on the web, I don't buy crap from random stores. Most likely a random attack, but my card is also in the food delivery and fast food apps, so if anything I would be lead to believe one of them has been compromised.

    • +13

      Why wouldn't you just advise your bank and let them handle it?

      • +19

        Because then the douchebag might still get the goods they ordered with the stolen card details.

        • I understand that, if that is the sole intention.
          But surely AdosHouse wants their money back? And the quickest way to do that is to work with their bank. Unless they do that, the thief can continue to use the card.

        • +11

          After having a similar situation over a year ago having supplied name, mobile, post office box of the thief to the police / bank I still await their follow up. I don't think the Police care about this "victim less crime" and , at least locally, they are too busy checking that kids are not using the local play ground or you are out driving a car on an essential errand at 04:59 in the morning.

          • +1

            @Ade99: Surely it is about resources and priorities.
            I've had both good and less-than-ideal responses from police in similar cases over the years, but either way it had no impact on me. Primarily because it was a matter for the credit card company/bank to pursue.

      • +12

        We have and the bank can take 10days to resolve, getting the transactions cancelled is quicker and they miss out on their goods.

        • +1

          Does cancelling the transactions not lead to other potential issues:
          - Is there a legal implication in that if the transaction is cancelled then the crime has not been successful?
          - How does the business know that the person calling is authorised to cancel the order? Maybe it is just a 'change of mind'?

          • +16

            @GG57: The fraud has been committed the second they use CC details without permission.

            The business doesn't, but most businesses would rather cancel an order than lose the goods and have a charge-back initiated against them. As long as they refund the money to the method it was paid with they have broken no law. Except JB, those a-holes will cancel the money AND keep your money until ordered to return it.

          • +7

            @GG57: One business was very appreciative as they would have been out of $600, apparently their weekly takings. I assume the bank just reverses the transaction and the business it out of pocket?

            • -7

              @brutus: I understand that, but I also believe that the merchant can claim from the bank, on the basis that they followed all required processes.
              It would take some time, and that is not ideal at this time.

              • +4

                @GG57: No, the merchants generally have no recourse against credit card chargebacks. They will have to pay a handling fee too. It is a good idea to cancel while you can, especially with small merchants than just getting a chargeback from the bank.

                • @truetypezk: Yup its a chargeback fee of $30. I know as I've been there before as a business owner. It's stresful and how can somebody do this to small guys…

              • @GG57: No the merchant just get charged back from the bank and that's the end. Business is out of pocket.

          • +3


            • Is there a legal implication in that if the transaction is cancelled then the crime has not been successful?


            In the same way that failing to murder someone is still illegal.

            • +3

              @DisabledUser370150: The difference between penalties for murder vs attempted murder surely indicates that there is an implication.

              • @GG57: our system is rediculous. i dont think any sane person agrees with it. under that system if you steal something, and on the way home before you can even get that big screen plugged in you loose the item you still stole it.

      • +8

        Absolute first thing I did. St George are apparently pretty stupid, they advised me to deal with the retailers directly first instead of doing their job. But they were right in saying that I will get my money back quicker if I get the retailer to refund me rather than doing a investigation and charge-back. They did cancel the card immediately though. I did call them back that afternoon and they are doing an investigation and charge-back for the JB Hi-Fi order.

        But also, as John Kimble posted, I did want to make sure the a-holes got nothing, and I was going to make sure I called every retailers anyway. A-holes are getting nothing from my card.

        • +1

          In reality, those a-holes will benefit from your bank's money or the retailer's money, not yours, if they get away with it.

          • +14

            @GG57: In the end we pay for it with increased fees/prices.

  • +2

    In her CommBank app or statement, Apple Pay transactions will have 'Tap and Pay XXXX' (the 4 digits being the Device Account Number, which will be unique on every device the card was added to - eg her iPhone will have a different number to an Apple Watch, etc)

    If the transactions don't have this 'Tap and Pay' - then it wasn't obtained via Apple Pay, and even then, CommBank should know when a purchase is made via those Apple Pay details so even if the details were captured that way, they can't be used by manually typing into other websites, etc.

    • When we checked the transactions didn’t show up on Apple Pay only online.

      • Ahh looks like it's only for cleared transactions, but the card number shows in NetBank or the app, like this; https://imgur.com/a/UxLCjxV

        Top two transactions were made online with my card number, then my watch, then my phone for the remaining three

        • +1

          3 different Coles in 2 days - what NSW lockdown right?

          • +4

            @Bonbi: Liverpool and Revesby definitely aren't within 5km too.

            • @kerfuffle: But the card numbers for the Liverpool and Revesby transactions do not match, which indicate it was used by a different iPhone (and probably being used by a different person).

              It could be that one card is being used by a supplementary cardholder (or it’s the same card being used by a second person)?

              • +2

                @WookieMonster: Different devices have different card numbers - an iPhone will have a different card number, to another iPhone with the same card, to an Apple Watch with the same card, to a card in Google Pay with the same card, to a card in Samsung Pay with the same card, et etc

                If you know your iPhone is xx1234, and you see a transaction with xx5678, then you know it wasn't made with that iPhone, or details taken from that iPhone.

                But if you see xx5678, you know it wasn't card details entered directly into a website - it was made with a digital wallet like Apple Pay

                Unfortunately CommBank doesn't break down which devices have which DAN (Device Account Number), so you can't tell what device is which without checking yourself.
                My earlier linked Apple KB article will say how to check what the last 4 digits are on your iPhone though - https://support.apple.com/en-au/HT201469
                (and if you delete a card from Apple Pay and add it again, it'll have a whole brand new card number)

            • +1

              @kerfuffle: But both are within 5km of Milperra.

              Unsure how big the LGA is thou

            • @kerfuffle: Maybe they've been chasing Toobs.

  • +6

    I don't use Comm Bank, but the (major) bank I use has previously contacted me when suspicious transactions are noticed. The $1 transaction should have been a red flag, with a 'monitor' increased on the card following that.
    In my cases, my bank has immediately reversed the amounts / transactions, replaced the card, transferred my account to a new account number, all before I requested it. I was never fully informed of the values / transactions.

    Based on the info you provided and the things you needed to undertake, I'd be changing banks.

    • +8

      In my experience CBA have great fraud protection. They have saved me before.

      St George on the other hand just send you a SMS with a message about potential fraud and if you don't reply within a short while they allow it to go through. Because I am always awake at midnight, idiots.

      • +1

        Had the opposite with CBA. Was in Vegas 8 years ago and paid for my hotel the day I left. Got into Australia the next day and paid for my parking in Sydney. Got home and started getting texts from the CBA to contact them urgently. Rung them up and they said suspicious activity had been noticed on my credit card. Apparently any spending in Vegas is an instant red flag. Told them it was fine and I'd just got back from holiday. All good.

        Couple of weeks later no warning they approved 2 purchases in Moscow without asking me. Wtf? They had charged like $50 or $60 in a phone store. Probably a test run before something bigger. Had to go through the fraud process which luckily wasn't too painful.

        My credit card details had been stolen months earlier when I had booked an activity on Expedia for my Vegas trip. Expedia didn't bother telling their customers for weeks they had been hacked.

        • My daughter never used her physical card and doesn't carry it around, it was linked to her apple pay wallet app so how does one get the card number, expiry date and CCV to make purchases online?

          Maybe they work at the bank, or visa or mastercard, or live with someone wfh that does.

          • +1

            @DisabledUser393841: That's impossible, I used to work for CBA and can tell you there's parameters around keeping credit card security. There's a reason why there's so many different departments in CBA.

            Applications are separate to credit card maintenance which is separate to service. Not to mention the CVV number at the back of the card is a once off sent by another department that can't access your profile. Also the CVV number is not in our working system. So for example if you lost it or don't have the physical card there's nothing we can do.

            What we do instead is order a new card and send a request to the processing team. At best we only have access to the card number, card type, all transaction history and date of card issue.

            If there's an annual fee attached to the card it's something that is charged internally by the system and we have no control over it. If there's a dispute we'll have to pass it over to the team leader which will then liaise with refunds department to do a manual transfer.

            Either way it's really complicated and time consuming that's why you get passed around alot when you call CBA. Is such that no single person has control over your entire account to avoid staff members from conducting illegal activities.

            • @nobro25: So you are saying the criminal magically does it?

            • @nobro25: Maybe they guessed the expiry date from the opened date, and cvv is only three digits. A few lucky guesses.

            • @nobro25: How do the data people analyse their data without expiry date and card number?

        • +1

          That is a big letdown. Like, Moscow, seriously? Red flag right there.

          Last time CBA detected fraud, was about 5 years ago. I woke up to a call from them at midnight asking if I just bought $1000 of stuff from Officeworks. Said no, so they cancelled the card and declined the transaction.

          • @AdosHouse: Sorry to change the topic, but it's a shame Moscow doesn't fly the Soviet flag anymore as it would make "red flag" quite the pun.

  • +4

    Truly terrifying. Given the lock down situation any spend outside of your state would be a red flag.

  • +1

    I had an issue with combank in the past where i got two $20 transactions from vodafone when i never used them. I complained and they immediately rolled back the transaction ,cancelled the existing card and issues a new one. Hopefully you get your money back without any issues.

  • +1

    It can happen. I had a credit card that was still stuck to the letter it came in so it had never been used physically or online ever and someone managed to use its details. Mind you it was like 8 months after I had received the card so it wasn't like the details were stolen from the mail.

  • +9

    Hi all,

    Unfortunately, it won't be of help to Op or others who have already suffered losses … but Commbank's allows you to disable the card for online and international payments. Would advise everyone to do so, and only enable it for 1 hour or the time needed to complete a transaction each time. While it does not mean your account is 100% safe (e.g. if your Netbank app / login is compromised), it puts an additional hurdle on the bad guys / girls seeking to misuse your card(s) if they just have name, card number, CVV and expiry date. Such details are easy to get if one of the sellers you purchase items from gets compromised, your laptop / desktop is hacked etc.


    The other banks should have similar functionality … hopefully.


    • +3

      It's a common feature for most banks these days. I also leave almost close to nothing in my savings for my debit cards most the time as well and only transfer the exact amount to that account when I need to use it.

      • +1

        I do this with the transaction accounts eg ING Orange but hope/wonder that they cannot get funds from the savings accounts. Usually, you have to transfer funds from the saving to transaction accounts to withdraw at an ATM, except with UBank.

  • +9

    My CBA credit card got hit a couple of nights ago. Received a message via the app asking if a transaction was legit (it wasn't) and when I checked internet banking there was half a dozen transactions for about $1200. The bank was tipped off when they used it at Nutrition Warehouse for about $900. They weren't concerned about the $140 at pizza hut or the other transaction at McDonalds but maybe that says something about me lol.

    Card was cancelled and its not a card I use much so not really an inconvenience. I have never physically used this card and rarely use it online. I hadn't used it for months so I was surprised it was compromised.

    • +2

      Compromised cards aren't typically used immediately after they are compromised, would be easier for the banks to identify and cancel all the compromised cards.

      The smart organised gangs compromise multiple sources, jumble up all the data and sell them off in different batches to other criminals, then they do the fraud spends. This can take months even a year or two to occur.

  • Was the original txt a legit txt?
    I recently received a sms from "Netbank" asking if I had made a purchase of $X amount and to login to their phishing site.

    • +1

      Yes txt was from commbank saying we’ve overdrawn, we logged on via computer and confirmed the overdrawn account.

  • +4

    Must be a trend right now….we got taken for every cent in our account ( a little over your amount) two weeks ago from some SOAB in Vic.Twenty two transactions in five hours,and we are waiting for the bank to tell us the outcome of investigations.Whilst we are beyond p1$$ed ( $8 to last 5 days ),it was a bit strange to see them attempt to assuage their guilt by making a few very generous donations to Save The Children.Guess the old "honour amongst theives" thing may have a tad of truth.

    • +2

      Fk.Crim with a bit of a conscious. Good reminder to check your cards and transsction

      • +1

        Ha ha ha,just what we thought too.

    • We had a similar issue, card fraudulently acquired and during the $25,000 spending spree in 36 hours and in between spending $6,000 at Louis Vuitton and then on to Tiffany's they they made a nice little donation to the Salvos. This was the only transaction we didn't dispute, and eventually got all the other money back.

  • +1

    My wife and I have had 3 cards compromised in the last month or so. No idea how it happens. One is only 2 weeks old and bang again. Was not linked to anything - not paypal, any online service, nothing.

    We don't use these cards for online shopping. We have credit cards for that.

    I have reviewed our computers and statements, and cannot see anything that would lead me to believe that there is some kind of deeper problem with CBA cards going on such as the BIN attacks referred to in an earlier post.

    Basically I am just going to turn of all online transactions for all our cards.

    All these have started with Amazon US which neither of us use, then there will be heaps of transactions after that if you do not notice the initial transaction.

    The last two only occasions only got $20 - 50 before it was noticed by one of us. But the first time happened on a Friday night after 8pm and about $1500 charged before the Bank noticed and pulled the pin then notified us (albeit it a day later). Luckily I did not need any of that money immediately but it could nasty for someone that did.

    Ultimately all the money was refunded.

    • Did all three cards have different card number, or just new cards with same number?

      • +1

        They all had different numbers. Everyone one of them, so I can identify whose card was charged.

        • Same thing happened to my father last month where he noticed two random Amazon US transactions in his CBA account. He doesn’t shop online at all so we couldn’t really work out how this occurred. Eventually CBA refunded the money and reissued new debit card.

    • +1

      Card skimmer at ATM

  • People steal credit card details all the time. It could be from anywhere that she has supplied her CVV - accommodation booking for instance. Apple Pay is mostly used for in person purchases atm.

  • +2

    I have an UP account for all shopping and online transactions - works with Apple Pay as well. I can top it up instantly with Beemit or PayID then put through the transaction. I never have more than $100 sitting in it otherwise. It’s my version of PayPal without PayPal.

  • I had a similar experience last year… Had something like $7000 spent across 3 merchants in a different state. I'm very careful with my credit card - I have worked in the industry before so I understand how card fraud is normally committed.. in this instance I have no idea how they got my details. All 3 transactions were at mower shops in VIC. Called bank to dispute and they put in chargebacks which were approved a couple of weeks later.

  • A payment system where the PIN is stamped right next to the account number. The person that came up with this idea should get a special gold medal.

  • +2
    • so instead of using your debit card for everything, you use your credit card for everything? SO had this been on a credit card, you wouldn't have had lost 3k and won't need to pay that since you got scammed?

      What if you can't get a credit card….?

  • +1

    I bank with citi, they locked my account after multiple $1 transactions were made on my account. It was me making the transactions, I was in a bar in North Ireland, and it was the price of ale.
    It was a bit of a process to unlock it, but they let me reroute my call back home on a local call charge.

    Commbank should reverse the charges, Woolworths will cooperate with police and provide evidence.
    The Police, Woolworths, Coles and Aldi have a joint evidence system. So, just a time stamp is needed.

    • The Police, Woolworths, Coles and Aldi have a joint evidence system. So, just a time stamp is needed.

      What system is this? Why is IGA not included?

      • AFAIK they are independents .
        The system is a common CCTV standard. It is evidence sharing.

  • +5

    I've had my NAB Visa credit card scammed 3x within 3 months this year; one of the replacements I hadn't even used yet and it had already been scammed with a $79 JB Hi-fi charge! After calling NAB to report and cancel the cards I managed to get a really helpful staff member who said there's been a huge increase this year in scammers using software to generate card numbers, expiries and CVCs and run small $1-2 charges in the background to "test" if they're the right match. Pretty scary stuff what they're capable of now and it's only getting worse…..

    She even said the amount of times she's seen customers call in with card numbers just 1-2 digits away from her own NAB card is amazing.

    • citi locks the cards after ~3 transactions

      • I wish NAB or all the banks had this too. The first time was 3 transactions at Target and Dusk totalling nearly $2500 (who spends nearly $1000 on candles, I don't know…) between 6-7am. Not the greatest thing to wake up to! The other 2 occasions were only one-off charges but thankfully I had setup card notifications by then so was able to block the card quickly.

        • +1

          You do have to sign your soul over for citi… but they are really good to bank with,

    • So much could be done for card security. Like an SMS for every transaction, or an authenticator number you enter for online transactions.

      Even things like adding alphanumeric credit card digits would significantly increase the amount of unique cards but a substantial factor.

      I'm sure there are many more solutions but unfortunately banks are hesitant to add features at the risk of ease of use. So these should be 100% opt in.

  • +1

    Leave it to the bank, and the police.

    Doesn't she have a limit imposed on the card?

  • After reading many posts about cards that have never been used I think there is an issue wherever the cards and made and printed, possibly overseas. I think the employees must sell batches of card numbers. There seems no other plausible reason as to how the crooks would obtain the card details.

  • My scam of $770 and other amounts were by Uber and in Canadian dollars through PayPal. Apparently this is very common and PayPal addressed it immediately. They said it happens all the time but couldn't say how… I cancelled my card and unlinked it.

  • +7

    My daughter after the initial shock yesterday,, sprung into action with some detective work and provided all the info for the police to nab him!

    Known criminal who has done this before.

    Still beggars the question how the hell did he get the card details.

  • My PayPal got hit, I thought the initial email from PayPal of a $300 Nike purchase was a scam but when I logged in it was legit. I called Nike 2 hours after the transaction (2am) and PayPal had already cancelled it on my end. The guy at Nike said yes they ll put the cancellation through as I didn't want that guy to get his stolen shoes. 2 days later they still despatched it 🙄🙄 got sent to a business address somewhere in SA. Lucky guy and his $300 Nike's.

  • The transactions were still pending and had to go through before they could be disputed,

    I had my card compromised. Fortunately only a couple hundred dollars worth of stuff. Telstra/Optus, and KFC. All items that had long been taken away. Got all the money back.

    This rule, though, is just damn stupid. Some poor retailer getting taken for a large some because the shitty bank wouldn't put a hold on the funds seems pretty unfair.

    Not sure if the rules have changed, but ~15 years ago, it was all risk on the merchant for card-not-present transactions. A lot of companies started requiring ID before dealing with large order amounts.

    This sort of stuff will continue to happen while the banks and Police don't care about it. They aren't going to invest all the time tracking things down unless there's good evidence.

  • +2

    i noticed that a 2k transaction was going through on my card one morning at harvey norman. called them up, they told me that broden (I laughed when I heard the name) had ordered it and it hadnt been picked up yet. Told them to cancel the order obviously, but the weird thing is they then had to call the person and tell them it was a stolen card (at which point the person just hung up). I heard that the called that morning had tried another card, which was declined and then used mine.
    HN couldnt cancel the payment (it was being processed), I called the bank, told them the story, but it was still taken out while investigated for a refund. seriously - even after I'd caught it in time??????????
    HN did call the police, I had to sign a statement, no idea what happened after that though

    • Doing a Broden might take on a whole new meaning

    • He's an ozbargainer

  • I got a message through the Commonwealth Bank app 2 nights ago saying possible fraudulent usage of my credit card of about $10.
    I logged in to the app and it was through the Apple App Store. I rang the bank and they said they declined a $500 purchase a few minutes later that was also suspect.

    I don’t know how they know it was suspect but glad they were on the ball. I haven’t used my credit card in over a year and only use it for travel purposes.
    They cancelled my card and said I will be reimbursed the money with a new card to be issued.

  • +1

    "It took 2hrs 10min to get on to the bank after 4 disconnects and messages try again later, at 10pm (SA time) we finally spoke to the bank."

    You can lock the card yourself in the Commbank App straight away when you see anything unusual next time…

    • yes we did lock the card beforehand but the account was overdrawn so it made no difference

  • +1

    I think a big part of apple pay is that your card can’t be hacked by merchants you use it with, without your Apple ID being compromised but with a strong password and 2FA that’s impossible. She’s probably forgotten she’s used it elsewhere, either in store or online.

  • +1

    Looking forward to hearing the news when the cops got the guy living up North.

  • Sorry to hear that happened, sounds like it will all be sorted out in the end.

    I stopped using Uber/Uber Eats after my details got stolen via Uber Eats and then used for Uber trips.

    I hadn't used Uber for trips in several years, then started using only Uber Eats.
    All of a sudden, I started getting charged for Uber trips I had never taken.
    Through some digging, I found Uber Eats transactions go through the UAE. So they obviously stole my details then charged trips to my account.

    For it all sorted via Uber and my bank, and closed my Uber accounts and never used them again.

  • +3

    I work for Australia Post and I can tell you I speak to about 10 people on a daily basis about some "pay $3 for us to manually process this parcel" and then call us a few days later asking where it is.

    The amount of people who comfortably provide their details out to a site URL that is something like hdufheh23fhdhe.gjtd.com and assume it's normal is astounding.

    I unironically think 90% of the people in this thread have fallen for some very simple CC scam and then pick out some schizo-esque reason for how someone got their details.

  • -1


    Think we can close the thread now.

  • I had a similar issue with my Commonwealth bank card too. It was nearing it's expiry so I just cancelled it. I asked them how someone might of got the details because I only use paypal and apple pay. I don't even take the card outside the house. They said sometimes people just manage to brute force a card. So they just try different numbers and expirations and CCVs and eventually hit a card that works.

    Or maybe Commbank had a data leak and doesn't want to tell us :P

  • -1

    Besides of databases being hacked that keeps your card info and video footage recording the card's details

    Another possibility is the card got cloned / duplicated at the ATM

Login or Join to leave a comment