"Ghost Tap" Relay Attack Makes NFC Payment Fraud Not-So "Near" Field Any More
Publicly-available software turns a pair of smartphones into NFC relays, allowing contactless payment fraud over any distance.
Security analysts at ThreatFabric have warned of a new attack against contactless payment systems, in which near-field communication (NFC) card data is transmitted to a remote receiver anywhere in the world: Ghost Tap.
"During our recent investigations, ThreatFabric analysts came across a new cash-out tactic being actively used by the threat actors as well as promoted on underground forums," the company explains. "This [is a] new tactic we called 'Ghost Tap,' used by threat actors to cash-out money having stolen credit card details linked to mobile payment services like Google Pay or Apple Pay and involving relaying of NFC traffic."
Relay attacks are a common vector for vehicle theft: keyless entry and start systems are tricked by having an attacker use a radio to pick up the signal from the security fob and relay it to the vehicle — even if the fob is inside the victim's home at the time. Ghost Tap takes this concept and extends it to contactless payment via NFC — using a pair of smartphones running readily-available software in place of a radio.
"Cybercriminals can establish a relay between a device with stolen card and POS [Point of Sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric explains. "The cybercriminal with stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within short period of time."
The attack works by having the attacker read the victim's card details using any NFC-enabled Android device with the publicly-available NFCGate software installed; this connects the device to a relay server, and from there to another smartphone with the same tool installed. The remote smartphone can then be used to make a contactless payment — with the payment request transferred through the relay server and charged to the stolen card.
The full analysis, including suggested mitigations, is available on ThreatFabric's blog.
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.