The attack starts with stolen payment card details and one-time passwords (OTPs), often obtained through phishing campaigns or mobile malware. Fraudsters link these stolen cards to compromised mobile devices, bypassing security measures. Unlike past carding methods that cloned magnetic stripes, Ghost Tap exploits contactless payment systems using tools such as NFCGate, originally developed for NFC security testing.
By relaying NFC signals between two devices, attackers separate the transaction from authentication. A mule’s device interacts with a point-of-sale (POS) terminal, while a master device, often in another country, authorizes the transaction remotely. This technique allows fraudsters to make purchases in multiple locations simultaneously, making detection difficult.
Chinese cybercrime groups have refined phishing strategies, using smishing campaigns that impersonate postal services or toll operators to steal payment details. Advanced phishing kits capture data in real time, even if victims abandon the page. Some attackers also generate counterfeit card images that are scanned into Apple Pay or Google Wallet to trigger OTP verification. The ZNFC Android app, available for $500 per month, enables global NFC relay attacks, removing the need for physical card cloning and scaling operations across multiple mules.
Despite security measures like tokenization in Apple Pay and virtual cards in Google Wallet, financial institutions remain vulnerable due to weak authentication. Many banks still rely on SMS OTPs, which phishing and malware can easily intercept. Merchant adoption of 3-D Secure (3DS) remains inconsistent, further enabling fraud. Attackers keep transactions small, typically between $100 and $500, to bypass fraud detection thresholds. ThreatFabric estimates Ghost Tap-style attacks could generate $15 billion annually, with median losses of $250 per compromised card across thousands of phishing domains.
Financial institutions and payment providers must strengthen authentication and fraud detection. App-based authentication should replace SMS OTPs, and multi-factor verification should be required for mobile wallet enrollment. Fraud monitoring should track geographic inconsistencies and impossible travel speeds, such as transactions in different countries within minutes. POS terminals should be upgraded to detect NFC relay delays, and the EMVCo standard for transaction timestamping should be widely adopted. Raising user awareness about phishing tactics, such as unsolicited OTP requests, is essential. Apple Pay and Google Wallet never initiate verification requests, making user education a critical line of defense.
As NFC-based fraud techniques evolve, collaboration between banks, payment networks, and device manufacturers is crucial. AI-driven fraud detection and stronger authentication protocols must be implemented before cybercriminals refine their tactics further.
Source: Cyber Security News
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.