rpgs.314 said:If they can steal your credit card numbers they can steal your apple pay tokens. If they have them, they can use them since the tokens are just another card number and because the tokens do not change with time or merchant.
Are you sure that's correct? Because it does not jive with Apple's presentation. IIRC they claimed one-time use tokens, and basically invulnerable against anyone snooping said token since it is one-use, and consumed on use. You would not be able to use it a second time, so it'd be worthless for anyone intercepting it.
So either you've got your infos wrong, or Apple lied in their presentation. Or I hallucinated while watching it. <--This is also a possibility...
rpgs.314's model is not quite right. The dynamic account number is kept in the secure element. The "credit card like credential" (payment token) is something else. It is generated on the fly, together with yet another one-time secure code for every transaction.
Even if one captured these in-flight payment tokens, they can't use it for more fraudulent transactions. They should also be one-way. You can't guess the dynamic account number from these payment tokens.
If you lost the phone, then you have to use Find My iPhone to revoke the dynamic account number.