boosacnoodle:

 

geek3001:

 

Another thought, why is there no endpoint detection of some sort that means the card can only be added to the wallet on a phone that is known to be the card holder's property.

 

 

There is. It's up to card issuers to use that data - or not - and to determine if any other verification parameters are required.

 

I used to be able to verify ANZ Bank cards in Apple Wallet with just SMS but no longer - a phone call is now required, which necessitates full verification using "Voice ID" (which can probably be hacked with AI now anyway...).

 

IRD do the Voice ID thing too, I can't remember if I have it on mine, but my mum was offered it recently on a call I was helping her with, and I just shook my head, after I just said "with AI & deepfakes, I wouldn't trust that at all these days".

Back on topic, looking at my texts, Westpac sends two for each Apple Pay addition... "X is your Westpac card one-time passcode for adding your card to Apple Pay. It expires in 5 minutes. Enter it in the Apple Wallet app when prompted." & "Your Westpac card ending in X has been activated on your [device type] for Apple Pay. Use it wherever you use contactless."; ASB: "From ASB: X is your registration code for your card ending in Y on your [device type]. Do not share this with anyone including ASB staff.." & "From ASB: Welcome to Apple Pay, ... [similar to Westpac's second one]".

BNZ seem to rely on the app, because I can't see any Apple Pay related messages in my history, and they at least have good warnings about what to do with unexpected activations of the app in their SMS notifications for that.

Honestly, looking back at the messages with a more critical eye... I'm a little surprised at the wording on the texts. Really they should be accompanied with a "Not adding your card to Apple Pay? Do not share. Call the number on the back of your physical card immediately."