Payment Systems at Risk: “Ghost Tap” NFC Attacks Enable Payment Cash-Out by Criminals

A critical issue is the use of a new method involving near-field communication (NFC) by cybercriminals to withdraw large amounts of money from victims’ accounts. This tactic, known as Ghost Tap, enables criminals to execute remote financial transactions using stolen payment card details facilitated by a local accomplice.

The Ghost Tap cybercrime operation is reportedly responsible for significant global losses from mobile payment platforms like Google Play and Apple Pay. This latest method allows criminals to distribute NFC card data to collaborators across the globe, enabling widespread financial theft.

Key Takeaways

• Exploitation of NFC Technology: The “Ghost Tap” technique uses NFC to enable remote financial fraud, allowing cybercriminals to conduct unauthorized transactions without possessing the victim’s physical card or device.
• Global Accomplice Network: Criminals distribute stolen payment card data to money mules worldwide, who act as proxies to complete transactions at retail locations, complicating detection and prevention efforts.
• Sophisticated Malware Integration: These attacks often start with mobile banking malware that steals credentials and one-time passwords, enabling the linking of compromised cards to digital wallets like Apple Pay and Google Pay.
• Detection Challenges: Ghost Tap attacks are hard to identify because they mimic legitimate transactions, involve geographically dispersed accomplices, and often use small amounts to avoid triggering fraud detection systems.

Cybercriminals Exploit NFC Technology with “Ghost Tap” for Remote Financial Fraud

Cybercriminals use a new “Ghost Tap” technique to exploit NFC (Near Field Communication) technology for fraudulent financial transactions. This method lets them make unauthorized purchases using stolen payment card details linked to mobile payment platforms like Apple Pay and Google Pay—all without needing the victim’s card or phone.

NFC is a wireless communication system that works within a short range of about 4 centimeters. It’s widely used for contactless payments, allowing devices like smartphones or credit cards to communicate with payment terminals. NFC operates at a frequency of 13.56 MHz and supports data transfer speeds ranging from 106 to 848 kbit/s. Its simplicity and convenience have made it popular in mobile payment systems.

The Ghost Tap approach has its roots in earlier technologies like NFCGate, an application initially developed by students at the Technical University of Darmstadt in Germany. NFCGate was meant to study NFC communications but was later misused by criminals. The app allowed the relay of NFC signals from payment cards, enabling transactions from a distance. Ghost Tap takes this concept further, allowing cybercriminals to remotely process payments without direct access to the victim’s device or card.

Ghost Tap’s subtle nature makes it particularly tricky to detect. Criminals don’t need continuous access to the victim or their devices. Instead, they rely on “money mules” who act as intermediaries to interact with point-of-sale (POS) terminals and complete the fraudulent transactions.

Cybercriminals often start these attacks by tricking victims into downloading malicious mobile apps to steal sensitive banking information. These apps target login details and one-time passwords (OTPs) through phishing emails, fake websites, keylogging, malware programs, or by manipulating the victim directly using social engineering tactics. Once installed, the malware can intercept OTPs sent via text messages or app notifications, allowing criminals to take over accounts or link stolen cards to mobile payment systems.

After obtaining the card details, the attackers add the card to a digital wallet like Google Pay or Apple Pay. They then use customized versions of tools like NFCGate to set up a communication link between their device and the device of a “money mule”—a person they’ve recruited to carry out financial transactions. This connection makes it look as if the mule’s device is the actual cardholder’s device. The mule can then use the stolen card details to make purchases or withdraw money at payment terminals without triggering alerts or deactivations by the bank.

In this type of cyber attack, the person acting as the “money mule” goes to different stores to make purchases. They use data sent over a special connection that relies on NFC technology, which allows devices to communicate when they’re close to each other. A relay server set up by the attackers helps the mule’s device talk with the attacker’s device in real-time. This setup lets the mule make purchases without needing the actual physical card, essentially allowing unauthorized transactions undetected.

Threatfabric, a company that identified its adoption by street-level criminals and coined the term “Ghost Tap,” reported that a cybercriminal possessing a stolen card could initiate transactions from a different location, even from another country, and use the same card across various locations within a brief timeframe.

How do you detect ghost tap attacks and counter them?

Detecting Ghost Tap attacks can be difficult for several reasons, making them a significant challenge for banks and fraud detection systems.

• First, these attacks make the fraudulent transactions look like they come from trusted devices. Because the transactions appear legitimate, it becomes incredibly hard to identify any unusual behavior that might suggest fraud. To the bank or payment processor, everything seems normal.
• Second, the people carrying out these transactions, known as “money mules,” often operate in different locations. This geographical spread means the fraudulent transactions don’t happen in one area, making it tough to notice patterns that could help identify the attack. For example, a transaction might happen in one country, followed by another in a completely different place, adding layers of confusion to the investigation.
• Lastly, the attackers are smart about keeping their transactions small. By making only minor purchases, they avoid triggering alarms in fraud detection systems, often set up to look for unusually large or suspicious spending. These small, low-risk transactions fly under the radar, allowing the criminals to carry out their schemes without drawing attention.

Financial institutions and consumers can adopt several key measures to counter Ghost Tap attacks. Enhanced monitoring is essential; institutions should closely watch for unusual activities, such as cards linked to unfamiliar devices, especially those connected with known malware.

Behavioral analysis offers another layer of protection by using behavioral biometrics to detect deviations from typical user behavior, which can help identify potential fraud. Consumers also play a critical role by staying vigilant—regularly reviewing account statements for unauthorized transactions and promptly reporting any suspicious activity to their banks. Additionally, updating mobile devices and payment applications can guard against security vulnerabilities that attackers might exploit.

Conclusion

The emergence of “Ghost Tap” NFC attacks highlights a significant and evolving threat to modern payment systems. Cybercriminals can conduct remote financial transactions without a physical card or device by exploiting NFC technology and leveraging stolen payment card details. The involvement of global accomplices further complicates detection and prevention efforts.

As this method becomes more sophisticated, it underscores the urgent need for enhanced security measures in mobile payment platforms and stricter monitoring of NFC transactions. Financial institutions and consumers alike must stay vigilant and adopt proactive strategies to mitigate the risks posed by these advanced cyber threats.