Hackers Exploit NFC to Steal Funds Through Mobile Payments

Cybercriminals are adopting a sophisticated attack method called “Ghost Tap,” which uses near-field communication (NFC) technology to drain funds from mobile payment services like Google Pay and Apple Pay. This method allows attackers to relay payment data from stolen credit cards across global locations in real-time.

The attack typically starts by infecting victims with banking malware, which captures sensitive information such as banking credentials and one-time passwords. This malware often uses techniques like overlay attacks, keylogging, or even voice phishing to steal data.

Once attackers obtain the victim’s card details, they link the card to a mobile payment service. To avoid detection by card issuers, the stolen payment information is relayed to a “mule,” who makes fraudulent purchases in physical stores.

Key to the operation is NFCGate, a legitimate research tool designed for analyzing and modifying NFC traffic. Cybercriminals misuse this tool to transmit NFC data between devices via a server.

One device acts as a reader to capture NFC traffic, while another emulates an NFC tag using Host Card Emulation (HCE). Although NFCGate has been exploited before, this is the first time it has been used to relay payment data for large-scale fraud.

With this technique, hackers can coordinate operations remotely. For example, an attacker can link a stolen card in one location and use it in multiple stores across different countries simultaneously. The ability to quickly scale these attacks, often by employing numerous mules in various locations, significantly complicates detection efforts.

Fraudulent transactions appear as if they originate from the victim’s device, bypassing anti-fraud systems. Additionally, the attacker’s device can remain in airplane mode, making it harder to trace its actual location or activity.

This anonymity, combined with the speed of modern communication networks, allows attackers to execute transactions far from where the victim’s card is physically located, all while avoiding time-based fraud detection systems at point-of-sale (PoS) terminals.

The flexibility of this tactic also makes it lucrative for criminals, as they can use it to purchase gift cards or other goods at offline retailers without being physically present. The method’s scalability and effectiveness present serious challenges for financial institutions and retailers alike.

To mitigate the risk of Ghost Tap and similar attacks, users should avoid installing apps from unverified sources and remain cautious of phishing attempts. Enabling strong authentication measures, such as biometric verification or multi-factor authentication (MFA), on mobile payment services can also provide an added layer of security.