Middle Tennessee man falls victim to new credit card fraud on Apple Pay

NASHVILLE, Tenn. (WSMV) - While Joe Hewitt has a credit card that he frequently uses, he is careful when and where he uses it, saying he never buys anything online.

“I don’t even order anything from Amazon,” said Hewitt. “I just don’t trust that, and I certainly don’t use my phone to buy stuff.”

That is why Hewitt was shocked this past April when strange out-of-state purchases started popping up on his credit card statement from Truist Bank.

“The first one was at Target in New Jersey for $206, the second charge was also at Target for, a hundred and some odd dollars,” Hewitt said. “So, I notified the bank of the fraud, and the bank guy told me it happened on Apple Pay.”

Turns out, earlier that day, Hewitt’s credit card had been skimmed at a store near his home in Murfreesboro, and within four hours, thieves on the east coast had his information and used it to set up an Apple Pay account, racking up hundreds of dollars in fraudulent charges.

Hewitt says Truist Bank removed the initial charges from his bill, issued him a new credit card number, expiration date and CV code, and sent the new card off in the mail. But according to Hewitt, that didn’t fix the fraud problem.

“Well, when they changed the card number before I got the card, I had already received a letter in the mail where there were charges on the new card,” said Hewitt.

This time, according to credit statements reviewed by WSMV4 investigates, Apple Pay purchases using Hewitt’s new card took place at stores like Target, CVS, and Game Stop in Maine, Massachusetts and Virginia.

So once again, Hewitt called his bank to report the fraud, and this time Truist sent his new credit card via FedEx, but for a second time according to Hewitt, that failed to stop the thieves.

“The card from FedEx came, the same day I got the card, I got a letter in the mail stating that there were fraudulent charges on that card,” Hewitt said.

In the end, Hewitt says Truist issued him four new cards, but each time the fraud would start over. Eventually, he canceled the account fearing the problem would ruin his credit.

“There’s still $630 worth of fraudulent charges that are still being charged to my account,” Hewitt said. “The bank, they say they’re working on it, but that ain’t what my statement says.”

After interviewing Hewitt and reviewing his credit card bills and letters from Truist, WSMV4 investigates contacted Alex Nette, a cyber security expert and CEO of Hive Systems.

Nette blames the fraud in Hewitt’s case on something called “auto updating,” it’s a feature some banks use to update customer credit card information on Apple Pay.

“As a consumer that sounds useful. Get a new credit card, get a new expiration date on a new card, and it automatically updates so you can just keep on tapping away with your phone and keep making purchases,” Nette said. “The problem here is banks need to sit down and take a risk-based approach. What is the risk that cards get misused, like in this case.”

As Nette explains, the risk is this, if a stolen credit card is used to set up, Apple Pay thieves get the new number, expiration date and security every time the bank issues a new card.

“They need to have a different kind of option for when a card is stolen. To be able to flag it and say, ‘Hey we need to revoke this authorization to Apple Pay.’”

According to Nette, most large national banks require customers to enter a PIN or update credit card information to keep using Apple Pay and other mobile payment systems whenever a new card is issued.

But some smaller regional banks auto-update that information, and while many customers have no idea that takes place, Nette said hackers and scammers do.

“People buying lists of stolen credit card numbers, they know that certain banks are more at risk and don’t have the controls put in place to protect Apple Pay accounts. So, they’ll filter that list of stolen credit cards pretty quickly, looking for those impacted banks,” Nette said. “That gives them a whole treasure trove of information to use and abuse very quickly. That’s a huge problem because it’s only going to continue to get worse.”

WSMV4 Investigates contacted Truist to ask about Hewitt’s case and whether the bank auto-updates credit cards on Apple Pay. Citing privacy, Truist said by email that it couldn’t share specifics about its clients, including denying or confirming that a customer relationship exists with Hewitt.

The bank did say, however, that “financial institutions across the country are experiencing escalated fraud attacks from criminals. At Truist, protecting our clients and their accounts continues to be a top priority and we take any potential fraud concerns seriously.”

But frustrated with the bank, Hewitt says he stopped banking with Truist in May.

“At this point, I just want other people to know, to watch out,” said Hewitt. “These fraudsters, they can get you just as quick as they got me, and it happens fast.”

Nette said to protect themselves from this type of fraud, people should call their bank or visit a local branch and ask if that institution auto-updates credit card information on mobile payment systems like Apple Pay. If the answer is “yes,” Nette strongly suggests finding a new place to bank.

“There’s no reason that these things should continue to happen,” Nette said. “But right now, there are no laws or banking regulations blocking auto-updating, so we as the consumer have to put ourselves in the driver’s seat to protect our credit information.”

Copyright 2023 WSMV. All rights reserved.