What it is and how to defend yourself from Ghost Tap, the scam to steal money from credit cards with NFC

Cyber ​​attacks and online scams never stop evolving, and the “Ghost Tap” it is just the latest discovery in the field of cybersecurity. This criminal technique, discovered by cybersecurity experts at ThreatFabricis based on the use of technology NFC (Near Field Communication) to transfer money from stolen credit cards connected to payment services such as Apple Pay or Google Pay. Cybercriminals are able to transmit stolen card data over a remote connection, allowing physically distant accomplices to make transactions without ever having to show a real card.

Using tools like NFCGatea software developed for academic purposes but transformed into a “cyber weapon” by criminals, Ghost Tap allows fraudsters to make purchases in various places at the same time, maintaining anonymity and bypassing traditional anti-fraud systems. Defending against this threat requires a combination of caution in the use of devices and active monitoring by banking institutions. When this does not happen, criminals can “make their way” to perpetrate their attacks.

Ghost Tap: what it is and how it was discovered

The cybersecurity experts at ThreatFabric they have discovered the Ghost Tap phenomenon coming across a post on a forum, in which a first user claimed to be able to «send an Apple Pay or Google Pay card from one smartphone to another to carry out a transaction using the integrated NFC chip” and where a second user asserted that “there are also other people who offer a similar method, transactions are made using the NFC reader built into the phone». This is how the investigations began that led to the discovery of the technique in question, renamed by experts as “Ghost Tap”.

The Ghost Tap represents a advanced form of cash-outthe process by which scammers turn stolen data into money or tangible goods. It all starts with the theft of credit card data, which generally happens through the dissemination of banking malware, phishing attacks And overlay attacks (a computer fraud technique in which criminals overlay a fake interface on top of the legitimate interface of an application, such as a bank). With these actions, criminals take possession of both their victims’ credit card data and codes OTP (One-Time Password), usually used to associate the card with a mobile device. Then using software like NFCGatethey transfer the information to a network of accomplices, called in jargon “money mule”who physically execute transactions at payment terminals POS (Point of Sale).

The system NFCused in devices such as smartphones and payment terminals for contactless transactions, at this point becomes the means to circumvent physical distancing. In fact, transactions take place very quickly and in places far from them. Purchases can, in fact, be completed in multiple places at the same time and without arousing immediate suspicion, given that they appear legitimate on the surface. As stated in the report, in fact, «hackers can establish a relay between a stolen card device and a retailer’s POS terminal, remaining anonymous and making large-scale cash-outs».

The following diagram graphically illustrates how the Ghost Tap attack occurs. You can well see that the hacker has a device (iPhone or Android) with a stolen card stored in aWallet app. Then use a Android device with an NFC-specific appcall NFCGatewhich serves as relay (or “bridge”). The device reads the POS payment request via NFC and forwards it to a central server. At this point the attacker’s infrastructure comes into play, consisting of the server (accessible globally), which manages communications between the attacker and the money mule network. The server receives the payment request and sends it to scammer’s second device. Another device receives the request via aapp that transmits the NFC signal to the POS. The device then makes the POS believe that the card is physically saved on the smartphone used to complete the attack and the payment is effectively authorized.

Ghost Tap operating diagram. Credit: ThreatFabric.

How to defend yourself from the Ghost Tap technique

Defending yourself against such sophisticated attacks is not easy. Which can definitely help avoid the Ghost Tap is to be very careful not to click on suspicious links and/or download unsafe apps that could install banking malware on your device. Using two-factor authentication systems can also reduce risk, but it is essential that you are always vigilant about SMS or notifications that require you to enter OTP codes.

We also recommend that you constantly monitor the activities that occur on your account, such as transactions from locations far away from you, as well as transactions that are repeated within a short period of time from each other. If you encounter any critical issues from this point of view, contact your bank immediately and report the incident.

In addition to this, banks and merchants will also have the responsibility to identify suspicious situations. As stated in the conclusion of the report ThreatFabricIndeed, “detecting and mitigating such fraud will require advanced detection models, robust security measures, and collaboration within the industry to keep pace with this emerging threat and effectively protect customer assets».