Multiple credit cards compromised

Are you certain that your Apple account has not been compromised on line?

Well, the truth is, that most use of fraudulent cards does not occur as soon as the card is compromised. So your card could have been compromised several months ago and just now be happening. It’s often coincidence. I was in Europe and I got a message that a card had been compromised. I didn’t even take the card to Europe so I know there was no correlation. The bank worked with me on this one because the people tried to buy $20,000 in gold and they believed it had been compromised about six months before. From what my coworkers who work in the payment card industry, tell me that’s kind of the average length of time between your card number being stolen and your card being used.

The fact that you’ve had multiple cards compromised leads me to believe that something has happened to
Expose your data . Do you have your email secured? Have you emailed the card numbers to anyone?

Are all the cards issued by the same provider? If so, that could be another red flag that that provider has been compromised and your information is out on the dark web, (which by the way it probably is.)

Since you’re using Apple Pay, they’re not getting the card data from the Apple Pay. Because it doesn’t work that way it’s not giving out your actual card information. That’s one of the reasons it’s more secure to use. So something else has happened.

https://www.apple.com/apple-pay/#:~:text=Protected.,shared%20by%20Apple%20with%20merchants

“When you pay in stores, neither Apple nor your device will send your actual card number to merchants”

Have you contacted the credit card companies? Seems important to actually talk to the companies directly.

The OP mentions using Apple Pay for contactless payment and also says that the compromised card was in a "wallet" in a cross body bag and that a second card that had been in a money belt was then moved to the "wallet".
I think Apple's terminology is confusing.
Anyone with an iPhone can set up their iPhone "wallet" on their phone. You can add Chase, Citi, BofA, etc credit and debit cards to an Apple (iPhone) wallet to make "Apple Pay" contactless transactions/purchases.
I have a Goldman Sachs (Apple) Master Card credit card. Although available, I have no physical Apple card. I also have not set up an Apple cash account that is required for the Apple debit card. Since I have never requested a physical card, my Apple master card is only available by using my iPhone at a merchant's contactless (point of sale) device or with an online merchant that offers Apple pay as an option.
I have successfully used the credit cards loaded in my iPhone's wallet in Italy, France, Spain, and Portugal. My Citi visa that is in my "Apple Pay" iPhone wallet awards 3% on dining. The Apple Master Card awards 2% on all purchases... (But only 1% on transactions if using Apple's physical titanium master card. Thus the reason I don't have one.)
I carry 2 physical credit cards as backup and one physical debit card when traveling. In the past 3 years I've not used a physical card in Europe, only the "cards" in my iPhone's "wallet" and only once have I withdrawn Euros from my checking account at a bank's ATM using my physical debit card.
So - to answer the question about tips... if carrying physical cards, get a cross body and/or money belt that is RFID secure. Avoid handing over a physical card when possible. Consider loading cards into your iPhone's wallet app so you avoid using physical cards. Monitor your accounts. As mentioned earlier... the point of compromise may have occurred months before the fraudulent use.

This just happened to me also ( but only one card). However the fraudulent charges were made in the U.S. and I am in Europe and have been for a couple of weeks. For me this solidifies that it was compromised at home at some point, although I have no research to back that up).

Thanks everyone.

Larry-how can I tell if my Apple account has been compromised? Is changing the password enough to rectify a compromise (please forgive my ignorance )

Both cards were VISA but issued by different banks.

I assumed the compromises happened while in the UK because the fraudulent charges were made at merchants in the UK.

The physical cards were used at Santander cycle stations, to get an Oyster card, and at a guesthouse. Otherwise the cards were used via Apple wallet.

Esther

Esther - first regarding Apple, yes changing your password would be a good protection. You can't tell if your wallet was accessed by someone. I would hope Apple is secure, but it can't hurt to change the password.

However, now that you say you physically used the cards at cycle stations, it is very likely that they could have been skimmed there. It would be too quick for someone to have made and sold new cards, but the information acquired could have been used immediately for online purchases. Can your bank tell you information on the fraudulent charges and whether they were done online? Without any knowledge of where you were, I am also suspicious of the guest house. Could the guest house have taken the info and used it, or given it to someone to use? I doubt that a machine for re-upping Oyster cards would' have a skimmer due to their high usage and visibility, but this also makes a good reason for dispensing with the Oyster card and tapping your credit card.

No, you do not need an RFID wallet. That is not how your credit card was compromised. There’s actually been basically no reported incident of credit card scanning being used to steal your credit cards while they’re in your wallet.

The only way that would work is if the thief got incredibly close (you would probably notice them standing on your foot) and then they’d be lucky to get half the information they need. Why would they spend all that money on a scanner when they can take that money and go to the Web and get a 100credit card numbers?

https://www.npr.org/sections/alltechconsidered/2017/07/04/535518514/there-are-plenty-of-rfid-blocking-products-but-do-you-need-them

https://www.walletopia.info/educate/rfid-wallet-still-a-scam/

Did you use them online? Maybe using the cards over unsecured wifi?

I haven’t used them online on the trip. I don’t make online purchases at home unless I’m on a password protected wifi network, and rarely do so away from my home wifi anyway.

So far the Apple card is working. If I have to pay with a physical card my brother who is traveling with me will cover it. This is my third international trip, and while I have anxiety in general I think I’ve handled adversity fairly well on these trips, but losing two payment methods has left me questioning whether I’m up to another trip.

Thanks for the advice!

As has been reported elsewhere on this form Transport for London has had a serious cyber security incident- https://tfl.gov.uk/campaign/cyber-security-incident

Far more serious than using skimmers. And Santander cycles are part of TfL.

TfL are supposed to have contacted anyone involved, but if you don't have an account with TfL they probably can't do that.

This could potentially have affected anyone using credit cards in any context on TfL. Sorry to upset the narrative about tapping good, Oyster cards bad. But in this context that is not true. A few weeks ago (before this incident) I topped up my Oyster at a machine which accepted cash. A far more effective security method. Yes such machines do still exist on TfL.

We don't know that is what has happened but it is one possibility.

As far as I am concerned the opposite is true- this is another reason to be using Oyster, and be using cash generally.