iPhones have basically no real attack vector, since all software available for the thing is curated by Apple to look for malware. To put it in a way a Linux user would appreciate, unless you're the kind of person who runs Arch or Gentoo, you're not going to be running unsigned code on the phone. All the software on the device has been approved by Apple before it was ever given a signature and allowed to be downloaded.

A number of older models can be deliberately jailbroken to run unsigned code, but you have to be one of those enthusiasts I just mentioned. She also maybe could in theory join a beta test group on TestFlight (the pre-release public testing platform) that would run malware that hadn't been submitted to Apple, but that's very unlikely.

This is a device state agencies are using and their enemies are trying to hack into. Some script kiddie targeting a wide range of people like your Mom is not going to be hacked. What is more likely to happen is she falls for a phishing attempt and people get ahold of her credit cards or personal data by pretending to be Amazon, Comcast, etc.

Yep. I'm 100% sure that's what happened. But somehow she gets a new CC and within 24 hours the number is on the street and being run again. She even changed banks and the same thing happened. As soon as the number gets entered in one of her iDevices, it's out there.

Not sure why the downvote, I'm reporting what happened.

Where is your mother entering in her credit card details?

Adding the card to wallet? Saving the card details to safari auto fill? PayPal? Just using the card on an online store?

Yeah good questions- likely hood of phone etc being hacked so much lower than a phishing attack

Have you checked the browser on computer for a keyboard sniffer?

Great questions. Pretty sure she had it in the Apple Pay for whatever reason. Yes to wallet, I think. No to autofill and Paypal. Yes to online shopping. But suspicious charges have shown up with a new card on like, the second day when she's only been grocery shopping. It's flippin' weird.

The other concern is her online banking. We have changed her bank account password and I basically told her she's not allowed to look at her account on these devices until I get them wiped.

There was a suspicious looking pay "ad-blocker" app that I removed; otherwise no extensions on any of the browsers as far as I can tell.

Worth googling it to see what others say

Is there a chance someone has spoofed her SIM card and is intercepting information. It’s unlikely that the data is being leaked from the iPhone side.

https://www.certosoftware.com/insights/how-to-tell-if-your-sim-has-been-cloned-or-hacked/

Reviews made it seem legit, but I remain skeptical. Thanks for the thought though.

Plausible, but she doesn't access her bank account from the phone, only the imac.