Friends Barclaycard used to order Deliveroo - how ?

NeverEden

Distinguished Member
Joined
Aug 6, 2012
Messages
5,845
Reaction score
1,807
Points
1,472
Location
London
Hi All

As above, my friend realised someone somehow got his card details and made Deliveroo transactions using his card. The strange thing was this was only ever registered on Apple Pay so he assumed the worst and got it cancelled.
The stranger thing is, 2 days ago they received a new card and this has somehow been used to make a similar transaction again no use anywhere, not even Apple Pay.
Anyone any ideas how this can happen? The only 2 things I can think of are either intercepting of mail or someone getting details of the card from the bank, an inside job maybe?
 
Happened to my friend few months ago, only one Deliveroo with Barclaycard.
 
A few years back, my Barclaycard was cloned and the only place the payment details were stored was my AppleID. Even when the card was re-issued with a new number, i had more fraudulent activity. In the end Barclaycard closed my account and moved my details to a completely new account.
 
If Apple Pay is anything like Google Pay it will pick up the card has been changed. I'm not entirely sure whether there's an algorithm at play (credit/bank card numbers are based on an algorithm) or whether the bank update it with Google, but whenever I've ordered a new card or they have changed due to age, the app knows the number of the card already. All I need to is enter the CVV code on the card to verify it. There's also a slight grace period to allow for postage and other related chaos before it will force you to verify the new card details.

The easiest way to "break the chain" is to close the account and start a new one. At that point the cards start with a completely new set of numbers, and the scammer is stopped in his tracks. The problem is, if it's a bank account most people don't want or need the hassle of an account being closed, another one opened, and the fun and games that follows when you need to update everything (I know banks can do most of it these days, but it's still annoying for the stuff they can't).

The way Google Pay and Apple Pay (and some others) work is by creating a virtual credit card for you (If you use Google Pay and click your cards, you'll see part of the virtual card number in the info screen). It's nothing spectacular (just numbers), there's no credit limit apart from what they make as a maximum purchase and what you have available in the bank. When you pay for anything with your phone it gets charged to this virtual credit card, pays the vendor and then bills your registered card(s). I suppose it would be possible for an employee to get access to real world card/bank details, but it would need to be very high up and a call centre drone or low level worker wouldn't be able to access them as par for the course.

Out of curiosity, your friend doesn't have any children do they? A few years back my then-girlfriend kept seeing Dominos pizza charges on her credit card. The bank (Santander) weren't much use apart from changing the card. Every time the card was changed it kept happening so in the end the fraud team decided to sort it out once and for all. It turned out that the delivery address was her home address, but every time it was ordered was when she was at work (she works mainly nights as a nurse). It turned out one of her kids was coming in, couldn't be bothered cooking or eating anything in the house, and was ordering from Dominos. Whenever she changed her card, he just snaffled the new details and carried on. Thankfully it was stopped when she managed to get the police around to arrest him (for fright tactics) give him a talking to, and then de-arrested him with a warning.
 
This is why I wish we could just add a balance manually, never attached a card to either service and never will.

For online purchases though I do have two barclays account where one card has no overdraft and funds can be moved from one to another when I want to purchase something. Little bit of a workaround but lot more peace of mind my main card is safe.
 
Appreciate the responses. In this case he obtained a brand new card and had not entered the CVV into Apple Pay yet within 2 days was caught out.
Personally I keep one debit card and have hardly anything on that account. For savings I simply destroy the card.
 
Appreciate the responses. In this case he obtained a brand new card and had not entered the CVV into Apple Pay yet within 2 days was caught out.
Personally I keep one debit card and have hardly anything on that account. For savings I simply destroy the card.
You missed this bit on iqonic’s first paragraph
...the app knows the number of the card already. All I need to is enter the CVV code on the card to verify it. There's also a slight grace period to allow for postage and other related chaos before it will force you to verify the new card details.
 
You missed this bit on iqonic’s first paragraph
Spot on. And credit card numbers (unlike debit cards) do not change if you request a new one
 
Ah thats interestings so effectively the previous card was still active...
 
So many ways you could get hacked. You really need your head screwed on correctly these days.
Have you made an online order via non encrypted website? Have you made a payment over the phone? Have you recently changed phones?
 
Spot on. And credit card numbers (unlike debit cards) do not change if you request a new one
Seriously? I know my main card number off by heart, but credit cards I don't, and I've never noticed. I thought it was the same for credit cards, so thanks for correcting me :)
 
Seriously? I know my main card number off by heart, but credit cards I don't, and I've never noticed. I thought it was the same for credit cards, so thanks for correcting me :)
Yes, your credit card number is basically the equivalent of your bank account number. When you get a new credit card from the same provider for the same account, only the expiry date and CV change
 
Appreciate the responses. In this case he obtained a brand new card and had not entered the CVV into Apple Pay yet within 2 days was caught out.
Personally I keep one debit card and have hardly anything on that account. For savings I simply destroy the card.
I had the same last week. I made a long post in the fraud thread. Originally several fraudulent transactions went out to Apple.com. I don't have and never had apple pay. I have never bought anything from Apple either or had an Apple ID. A fourth attempted payment to Adidas failed.

When contacting my bank they told me they had put a stop on any future transactions to Apple. They cancelled my debit card and sent me a new one.

Within two days and before I'd used the new card another payment to Apple went out. Spoke to the bank a second time. I explained I'd been told all payments to Apple had been blocked so how had this happened on my brand new card? I got the sense he wasn't quite sure how to answer as he couldn't answer immediately. Anyway he then told me that any block would only apply to individual purchases. He said that for any continuous payments set up, such as subscriptions they would simply roll forward on to the new card even though it has a new number. In his words "they can get it from the bank". Must admit I'm a tad cynical as to whether they really had put a block in place. I then had to complete an online form that you would normally use when you are in dispute with a retailer who continued to take money from you after you had cancelled a service. Fingers crossed that seems to have done the trick but it doesn't feel the right way really. I'm not in dispute with anyone, these were fraudulent transactions. I've never used Apple.

I have no idea how my card details were compromised in the first place either.
 
Last edited:
All very odd I must admit, never heard anything like it before. Can’t see how that could happen either.
 
All very odd I must admit, never heard anything like it before. Can’t see how that could happen either.
I hadn't either. The one thing I do know in my case is that a fraudulent transaction went out on my new debit card with a new number on it, before I had used it. So I guess there's some truth in what the bank told me.
 
I hadn't either. The one thing I do know in my case is that a fraudulent transaction went out on my new debit card with a new number on it, before I had used it. So I guess there's some truth in what the bank told me.
They can to a degree, what doesn’t make sense is the lack of revalidatie of a cvv. Or how someone else managed to get it added to someone else’s Apple Pay. I mean they’d know who it is. You’d also not just need the card details and cvv but also multi factor authentication before it gets enabled.

So that is a lot of compromises.
 
If Apple is like Google, then it uses a different card number for purchases from your bank. Basically Google pay has its own card number. I assume this is linked you your bank account and sort code. Therefore even if your card number changes, the bank account that apple pay uses is still active so can carry on being used, and the card number apple pay uses is obviously the same.
From Google pay
SmartSelect_20211030-091350_Google Play services.jpg
 
They can to a degree, what doesn’t make sense is the lack of revalidatie of a cvv. Or how someone else managed to get it added to someone else’s Apple Pay. I mean they’d know who it is. You’d also not just need the card details and cvv but also multi factor authentication before it gets enabled.

So that is a lot of compromises.
Indeed. I asked the advisor and he described it as a "flaw" in the system. He reckoned it was a system some businesses use and some don't. The idea being if you have a continuous subscription or payment plan in place you don't need to update your card details when your card is changed. They said if they found out more they'd let me know but I doubt I'll hear anything tbh. With the original card a fourth payment to Adidas didn't go through because that would have needed my approval via my banking app. The Apple ones didn't. That's the other issue, not all transactions need approval at my end.

And to clarify in my case no one else has access to the card. Its not been out of my possession. Its
not been used on an unencrypted network. I have full security on my devices and the original card hadn't been used "in person" for many months. No children here either! Not visited any new websites etc. So the source of the original compromises remains a mystery to me.
 
Last edited:
Spot on. And credit card numbers (unlike debit cards) do not change if you request a new one
This is not the case. I left
My credit card in a coffee machine and the replacement had another number.

If the op is sure the new card was used also, then it sounds very odd. I would be looking closer to home as the number on the back of the card is not stored anywhere.
 
If Apple is like Google, then it uses a different card number for purchases from your bank. Basically Google pay has its own card number. I assume this is linked you your bank account and sort code. Therefore even if your card number changes, the bank account that apple pay uses is still active so can carry on being used, and the card number apple pay uses is obviously the same.
From Google payView attachment 1594351
That is different. That is related to not sharing your number with the merchant. An expired card still gets expired. I’ve just had that with one of my cards.
 
Indeed. I asked the advisor and he described it as a "flaw" in the system. He reckoned it was a system some businesses use and some don't. The idea being if you have a continuous subscription or payment plan in place you don't need to update your card details when your card is changed. They said if they found out more they'd let me know but I doubt I'll hear anything tbh. With the original card a fourth payment to Adidas didn't go through because that would have needed my approval via my banking app. The Apple ones didn't. That's the other issue, not all transactions need approval at my end.

And to clarify in my case no one else has access to the card. Its not been out of my possession. Its
not been used on an unencrypted network. I have full security on my devices and the original card hadn't been used "in person" for many months. No children here either! Not visited any new websites etc. So the source of the original compromises remains a mystery to me.
It may be how they’ve integrated it. As Apple Pay is integrated with the bank itself it can indeed update the expiry date. So if you got issued the same card with just a new expiry date it could still be active.

But that doesn’t change the fact that someone else managed to activate it which is weird. And your bank should have created a new number.
 
It may be how they’ve integrated it. As Apple Pay is integrated with the bank itself it can indeed update the expiry date. So if you got issued the same card with just a new expiry date it could still be active.

But that doesn’t change the fact that someone else managed to activate it which is weird. And your bank should have created a new number.
New card does have a new number but if it understood them correctly the one fraudulent transaction that appeared on my new card came through as a result of fraudulent activity on my old one. He implied the new number was irrelevant. I don't know any more than that and the whole thing is a puzzle really. I wasn't expecting them to come up with that explanation otherwise I would have been a bit more prepared in the terms of the questions I asked. Of course it would help if I could identify the source of the original compromise.
 
Last edited:
Could it be related to this ‘express transit’ flaw that I saw a few weeks ago? Not specifically this, but a related way in to exploit Apple Pay.
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom