Threat actors are exploiting a new cash-out tactic called “Ghost Tap” to siphon funds from stolen credit card details linked to mobile payment services like Google Pay or Apple Pay, which involves relaying NFC traffic, enabling unauthorized transactions without physical access to the victim’s device.Â
By understanding this emerging threat, financial institutions can enhance their security measures to protect customer assets and mitigate the risks associated with this sophisticated cash-out technique.
Cybercriminals are leveraging NFCGate to relay NFC traffic between devices, enabling them to cash out funds from stolen cards linked to mobile payment systems like Apple Pay and Google Pay.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders –Â Attend Free Webinar
By exploiting vulnerabilities in these systems, attackers can obtain OTPs and link stolen cards to their devices, which allows them to make payments at offline retailers anonymously and at scale, bypassing traditional security measures and increasing the efficiency of their fraudulent activities.
NFCGate is a legitimate research tool used to facilitate large-scale, anonymous cash-outs, where remotely controlling a device with a stolen card linked to a mobile payment system, attackers can direct mules to specific retailers.
The mules, using NFCGate-enabled devices, initiate transactions at the POS terminals.
The transaction data is relayed to a server, enabling the attacker to monitor and control the process, which allows for widespread, coordinated fraud operations, bypassing traditional geographic and logistical constraints.Â
Recent cyberattacks leverage NFC technology, exploiting vulnerabilities in network infrastructure and device security, where malicious software like NFSkate targets mobile devices, while NFCGate-based tools compromise physical cards.
Relay attacks, enabled by network latency, allow remote transactions using stolen card data.
To mitigate these threats, NFC readers should implement time-based detection mechanisms to identify discrepancies between device location and transaction location.
When it comes to detecting suspicious activity and preventing unauthorized access, mobile payment services need to also improve their security measures.
According to Threat Fabric, cybercriminals exploit the Ghost Tap technique to bypass anti-fraud measures by making multiple small, seemingly legitimate NFC payments, which often involve compromised devices and airplane mode, that can go undetected.Â
Financial institutions must proactively monitor for unusual device pairings, rapid, geographically impossible transactions, and suspicious device behavior to identify and prevent such fraudulent activity.
The detection of potential device compromises at an early stage is absolutely necessary in order to reduce the likelihood of subsequent Ghost Tap attacks.
Cybercriminals can exploit publicly accessible technology to remotely initiate NFC transactions, enabling unauthorized cash-outs, which make it difficult to detect and mitigate.
Retailers and financial institutions must implement advanced detection models, robust security measures, and industry collaboration to safeguard against these emerging threats and protect customer assets.
Are you from SOC/DFIR Teams? –Â Analyse Malware Files & Links with ANY.RUN -> Try for Free