Fact Check: AirDrop Won’t Let Thieves Snatch Your Credit Card Data
Credit: Avery Evans / Unsplash
Toggle Dark Mode
It seems like the holiday season is a ripe time for spreading alarmist misinformation about iPhone privacy and security. Last year, a false report misled people into believing Apple’s NameDrop was a security risk. Now, a little over a year later, AirDrop is back in the news again with some viral TikTok videos claiming the technology can be used to let thieves steal your credit cards.
This latest report has even less merit than the NameDrop scare. That one had a germ of legitimacy as it build on what NameDrop was designed to do — wirelessly share contacts between Apple devices. However, those reports suggested this could happen without your knowledge, merely by a would-be identify thief brushing their iPhone up against yours.
Just so we’re clear, that part is so wildly exaggerated that security experts called the warnings — some of which came from police departments that had picked them up — “hysteria” and “nonsense.” It’s also something that should have been obvious to anyone who had actually tried NameDrop.
However, new conspiracy videos making the rounds on TikTok appear to have become disconnected entirely from reality. As shared by AppleInsider and The Daily Dot, at least two TikTokers are getting people riled up with blatant misinformation by telling people to turn off AirDrop for fear of losing their credit cards to random passers-by. As one says, if you leave AirDrop on, people can “walk past you [and] get all of the cards in your [Apple] wallet.”
We’re not going to waste time linking to these videos, as there’s no point in rewarding them with even more views for this insane level of fear-mongering. They’ve already collected well over a million eyeballs by “warning” people about this problem that has come from a “recent update” to iOS — presumably iOS 18.1 or iOS 18.2. However, it’s a problem that simply doesn’t exist.
At least with the NameDrop hysteria, there was a very remote possibility that a bug in Apple’s implementation might expose your contact information. It’s unlikely in the extreme, but it’s still theoretically possible as the pieces are all there to share contact info, and only Apple’s guardrails prevent it from happening without your permission.
However, credit cards in Apple Wallet are not shareable via AirDrop. Period. You can’t share them in a reusable form, even if you want to.
Apple Pay allows payment terminals to take money from a credit card as a one-time transaction. However, even this has to be authorized by Face ID, Touch ID, or a passcode — a hardware requirement built into the iPhone that can’t be overridden by software. It’s also a one-time transaction that can’t be “replayed” to make multiple charges to a credit card. Even if someone were to set up a fake terminal, they get to charge your credit card once, with your authorization. We’ve reported on Apple Pay scams that exploit this. However, they still require some level of social engineering to pull off, usually by tricking the iPhone user into paying a different amount than they agreed to. This kind of scam isn’t unique to Apple Pay — it can happen with any contactless card.
When you add a credit or debit card to Apple Pay on your iPhone, a series of cryptographic tokens are generated to represent your payment information. The original numbers for cards added to Apple Pay aren’t even stored anywhere; instead, a unique Device Account Number (DAN) is generated to represent your card, and that’s what gets stored in the Secure Element — a dedicated chip inside your iPhone that even iOS can’t read information from.
There’s no way to read the full DAN — you’ll see the last four digits on most receipts, but the rest of the number is only used internally by payment processors. However, even if you could get the full number out of the Secure Element (which you can’t), it would be useless as it can’t be used for normal credit card transactions. It’s tied to the cryptographic keys used by Apple Pay, meaning that payment networks will only accept that number if it’s presented with the other necessary credentials, which are equally impossible to get from an iPhone.
Here’s how Apple describes this in its Apple Pay security and privacy overview :
After your card is approved, your bank, your bank’s authorized service provider, or your card issuer creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes that are unique to each transaction) to Apple. The Device Account Number can’t be decrypted by Apple but is stored in the Secure Element — an industry-standard, certified chip designed to store your payment information safely — on your device. Unlike with usual credit or debit card numbers, the card issuer can prevent its use on a magnetic stripe card, over the phone, or on websites. The Device Account Number in the Secure Element is isolated from iOS, watchOS, macOS, and visionOS, is never stored on Apple servers, and is never backed up to iCloud.
While we’ll stop short of saying it’s absolutely impossible to get information from the Secure Element, it’s so close to being impossible that it’s not a possibility worth discussing. The Secure Element isn’t an Apple feature but rather something that’s mandated by the finance industry for all devices that support mobile payments. The best hackers can’t even figure out how to get information out of a Secure Element with physical access to the chip. There’s no way that Apple can give that data up via AirDrop — and certainly not accidentally.
Sadly, posts like these make many people needlessly scared of modern technology, even though Apple Pay is actually more secure, not less. The contactless payment card in your wallet is far more vulnerable to “walk-by” skimmers that try to read the cards from inside your wallet since those don’t require user authentication to present payment info. An attempt to do the same with Apple Pay would simply light up your iPhone to ask for Face ID authentication before transmitting any data to the fake terminal.
Still, even those types of attacks have always been far more theoretical than practical. The information that can be read from a contactless card isn’t enough to complete an online transaction; at best, it could used to create a copy of the physical card for in-person contactless transactions, but those have spending limits and the thief has to show up in person with the stolen card, increasing the risk of getting caught. Further, financial companies have closed most of those loopholes in the past decade or so, which is why you don’t hear too many reports of these attacks actually happening.
Apple Pay is nearly bulletproof by comparison. While there have been some vulnerabilities related to Express Transit, which can present a payment card without requiring biometric or passcode authorization, these can still only be used to steal money by charging fake transactions to your card. There’s still no way for them to capture the actual credit card information or any other personal data.
Either way, there’s absolutely no way that credit card information is being stolen from Apple Wallet using AirDrop. Scammers could access this kind of data in some roundabout ways, but those still rely on social engineering tactics to trick you — they can’t be done behind your back — and the data would need to be stored elsewhere on your iPhone.
For instance, The Daily Dot’s Jack Alban suggests that the TikTokers may have conflated the problem with the new screen-sharing capabilities introduced in iOS 18.1. This feature can grant someone remote access to your iPhone — and these requests can be made via AirDrop — but you still have to accept the request, and you’d have to be in a position where your financial information was readily available for the digital intruder to see.
As we already explained, they can’t get that data from Apple Wallet any more than you can, but lots of folks store credit card numbers in notes, documents, or other apps on their iPhones. That’s still a big long shot, but at least it’s more plausible than a passerby hoovering up all your credit cards via AirDrop.
