This post is also available in:
עברית (Hebrew)
In recent years, payment using NFC one’s phone has become increasingly common, as it is a method both safer and more convenient than carrying your wallet everywhere. Naturally, as technology progresses, so do cybercriminals. Now, a recently discovered tactic, dubbed “Ghost Tap,” highlights the growing use of NFC-based fraud in mobile payment systems. This new approach, identified by ThreatFabric analysts, allows fraudsters to scale cash-outs from stolen credit card details linked to services like Apple Pay and Google Pay, all while remaining anonymous.
Ghost Tap leverages NFC (Near Field Communication) technology, which powers mobile payment systems. Using tools like NFCGate, originally created for academic research, cybercriminals can relay NFC traffic between two devices. Here’s how it works: the attacker uses a device with a stolen card linked to a mobile payment service. They then use a “mule” – another device – to interact with a retailer’s POS terminal, completing the transaction. The attacker can be miles away from the store, and the cardholder’s device may not even be physically near the point of sale.
To initiate this fraud, attackers first steal credit card details and link them to a mobile payment system. This is typically done through malware or phishing, which allows the criminals to intercept OTP (One-Time Password) codes needed to link the card. Once linked, the attacker can make fraudulent purchases in multiple locations within a short period, avoiding detection by spreading out the transactions.
The Ghost Tap method provides criminals with the ability to scale fraud quickly and efficiently. By relaying NFC traffic, fraudsters can make several low-value transactions at different locations without raising red flags. Traditional fraud detection systems may miss these types of activities, as the transactions seem to originate from the same device and often occur below the threshold for suspicious activity.
Additionally, by using this technique, fraudsters can bypass location-based security measures, like detecting mismatched geographic locations between the device and the store. This makes it harder to trace the fraud back to the attacker.
For financial institutions, detecting Ghost Tap fraud is difficult. The transactions look legitimate because they come from the same linked device, and there are no clear signs of a second device being involved. Moreover, attackers can place the device in “airplane mode,” obscuring its actual location.
Financial organizations need to watch for red flags such as new device pairings, transactions happening across distant locations in a short time, or signs of mobile malware on customer devices.
The rise of Ghost Tap highlights the increasing sophistication of NFC-based fraud. As cybercriminals find new ways to exploit mobile payment systems, financial institutions and retailers must enhance their fraud detection systems to protect customer assets and stay ahead of these evolving threats.
