Hackster is hosting Hackster Holidays, Ep. 7: Livestream & Giveaway Drawing. Watch previous episodes or stream live on Friday!Stream Hackster Holidays, Ep. 7 on Friday!

"Ghost Tap" Relay Attack Makes NFC Payment Fraud Not-So "Near" Field Any More

Publicly-available software turns a pair of smartphones into NFC relays, allowing contactless payment fraud over any distance.

Gareth Halfacree
1 month ago β€’ Security

Security analysts at ThreatFabric have warned of a new attack against contactless payment systems, in which near-field communication (NFC) card data is transmitted to a remote receiver anywhere in the world: Ghost Tap.

"During our recent investigations, ThreatFabric analysts came across a new cash-out tactic being actively used by the threat actors as well as promoted on underground forums," the company explains. "This [is a] new tactic we called 'Ghost Tap,' used by threat actors to cash-out money having stolen credit card details linked to mobile payment services like Google Pay or Apple Pay and involving relaying of NFC traffic."

A new relay attack against NFC contactless payment devices, dubbed Ghost Tap, has been exposed by security analysts. (πŸ“·: ThreatFabric)

Relay attacks are a common vector for vehicle theft: keyless entry and start systems are tricked by having an attacker use a radio to pick up the signal from the security fob and relay it to the vehicle β€” even if the fob is inside the victim's home at the time. Ghost Tap takes this concept and extends it to contactless payment via NFC β€” using a pair of smartphones running readily-available software in place of a radio.

"Cybercriminals can establish a relay between a device with stolen card and POS [Point of Sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric explains. "The cybercriminal with stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within short period of time."

The use of a relay server means that the transaction can take place away from the victim's location β€” even in another country. (πŸ“·: Cottonbro Studio)

The attack works by having the attacker read the victim's card details using any NFC-enabled Android device with the publicly-available NFCGate software installed; this connects the device to a relay server, and from there to another smartphone with the same tool installed. The remote smartphone can then be used to make a contactless payment β€” with the payment request transferred through the relay server and charged to the stolen card.

The full analysis, including suggested mitigations, is available on ThreatFabric's blog.

nfc
security
radio
smartphone
Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles