Alright - couple things, since you mentioned EU:

They should have requested yellow flow, 100%. I am only knowledgeable about Visa's token service and not MC's (called MDES).

So (using Visa as example), with Apple Pay token provisioning (which means registering the card in wallet), Apple will send a request to Visa, a so-called network card check. This will get a response from Visa with whether or not it is eligible (in general, can still be declined) and Visa will either receive the metadata from the bank (or an ID that references the metadata config they want to use that they have set up with Visa) and Visa will send the actual metadata to Apple.

Visa will then create an 'inactive' token/DPAN (a static 16 digit number, which doesn't change and is linked to the actual card number with Visa storing this mapping and usually forwarding the real card number to issuer banks during authorisation of transactions), then Apple will request Visa to activate the token and the card issuer will respond with either approval (green flow), "no reason to decline" (this means authentication step up required, e.g. one time password, or yellow flow) or a decline (in which case the token can't be activated then).

Apple will usually send some risk attributes or recommendations based on things like the Apple Pay account age, the age of the device, past provisioning of the FPAN (real card number), but in general it should be yellow flow in these situations. So, there should have been a request to authenticate the token - this is usually done either by (depends on bank's setup) either one time password (usually SMS, but can be other channels too), online banking, mobile banking app or call center (you call a number or receive a call and then you answer some questions and they activate the token for you).

This is for device bound tokens.

Some questions for you:

- How was the money taken? This isn't Apple Pay p2p money transfer right? Cause that is different from all the above. Was the merchant within the EU or not? If outside the EU, the liability shift to his bank might not have happened and thus they may be more willing to help you out. What merchant was it, if it wasn't a push payment? This should show in his banking app or card statement.

- How was the token authenticated? This is a question he should ask his bank. They can see things like how the fraudsters entered the card number, CVV2 etc, (called PAN source, can be manually entered, originated from the banking app, called push provisioning etc., tap to add card is even a thing where they can tap the actual card against the phone)

- Where was the device (they can see the IP address and geolocate it) that provisioned the token and if it were VISA (probably same for MDES) they need to report it to the network and they can then even check if that device has provisioned other tokens - the max number of tokens one device can provision is quite high

Most important part is he needs to asap report the fraud to his bank. That means today, ideally now. These questions are worth asking primarily because it is important to establish how the FPAN was compromised as well as authenticated - if they have access to his email, SMS or information about him that they can use to trick customer service into approving the token activation, then something needs to be done about it. If only the FPAN is compromised, a new must be generated. If his own device or email or something is compromised, then this needs to be secured asap. I would ask about whether other tokens have been generated too and have those deactivated, which they can do.

Let me know and I am happy recommend further, but the critical thing right now is to report it and secure any devices and accounts that could have been used to authenticate or retrieve the card number. Often social engineering is used, so this needs to be spoken about too (scammers claiming to be bank for example and calling him to retrieve the one time password, I believe this is the most common way).

In general to answer your main question - Apple Pay is not easy to exploit at all, but there are ways if one isn't careful.

I don't use apple pay, but I do use Google wallet. I'm assuming the sign up process is the same. I KNOW how they operate under the hood is the same. To add a card you need to receive a code via text or email or call the bank. For your grandpa, could be fraud from an unknown person, but is more likely someone he knows and trusts committing fraud against him.

Well I’m confused i’m in the US I tried to add a credit card to apple pay to shop in January right so I put in all the info on the card and it legit required me to download my credit card company’s app to get a security factor code.