In a concerning development for digital payment security, cybercriminals have leveraged popular mobile payment platforms like Apple Pay and Google Wallet to conduct sophisticated scams involving malicious NFC card readers (known as carders).
These cyberattacks exploit vulnerabilities in mobile payment systems and victims’ trust, enabling seamless access to stolen payment card data and unauthorized transactions without requiring PINs, OTPs, or direct physical card access.
How Cybercriminals Exploit Mobile Payment Systems
Emerging techniques showcase an alarming shift from traditional card fraud methods to more advanced phishing operations and NFC relay attacks.
Initially, attackers create networks of convincing fake websites mimicking delivery services, utility payment platforms, or popular online stores.
These phishing sites prompt unsuspecting users to enter their payment card credentials, including sensitive details like the card number, expiration date, CVV/CVC code, and the OTP generated for ownership verification.
Once phished, attackers use specialized software to replicate the stolen card as an image. This fake card is then linked to a mobile wallet on the cybercriminal’s smartphone.
Apple Pay or Google Wallet accounts created on these devices effectively serve as the conduit for fraudulent transactions.
The scammers either shop at physical stores using NFC-enabled payment terminals or funnel money through fake merchant accounts on legitimate e-commerce platforms.
Adding to the sophistication, attackers have adopted an NFC relay technique dubbed “Ghost Tap.”
According to Kaspersky, they use legitimate apps like NFCGate to relay payment data from one smartphone (containing linked stolen card credentials) to another device.
The second device is wielded by a “mule” who completes contactless transactions at stores or ATMs without carrying incriminating evidence.
This method enables cybercriminal networks to cash out large sums rapidly and safely, often across multiple locations simultaneously.
Innovative Social Engineering Schemes
Towards the end of 2024, cybercriminals introduced a more insidious model of NFC fraud, targeting users in Russia and testing global scalability.
This time, attackers don’t explicitly ask for card details. Instead, they persuade victims to install unofficial apps purportedly linked to government services, financial institutions, or similarly trusted entities.
Under the guise of “verification” or “authorization,” these apps prompt users to place their physical card against their phone and enter a PIN.
The fraudulent app reads and transmits the card data (including PIN) to the attacker in real time, enabling unauthorized purchases, cash withdrawals, or money laundering via NFC-enabled ATMs.
This scam bypasses traditional anti-fraud systems by emulating legitimate transactions making detection difficult.
According to the Report, A further variation involves manipulating victims into “depositing” funds into a “safe account.”
Using social engineering tactics, the attacker relays their substituted card data to the ATM, allowing the transferred funds to be redirected to the scammer’s account while leaving the victim unaware until much later.
These rapidly evolving attack vectors pose challenges for payment infrastructures worldwide.
By exploiting widespread trust in mobile wallets and contactless payment systems, cybercriminals have created scalable opportunities for fraud through a blend of technology and deceptive practices.
With rising adoption rates for digital payment apps, the risks are poised to impact consumers, banks, and retailers globally.
In light of these developments, additional safeguards are necessary to curb such exploits.
While payment platforms like Apple Pay and Google Wallet must enhance security protocols and authentication measures, users should also take proactive steps to protect themselves:
- Use Virtual Cards for online transactions, restricting their balance to minimize exposure.
- Avoid Installing Unauthorized Apps that request NFC interactions or PINs. Stick to trusted and verified sources for downloads.
- Switch Cards Regularly by blocking older cards and generating new virtual card numbers periodically.
- Restrict NFC Use at ATMs, favoring traditional plastic cards for withdrawals.
- Enable Real-Time Transaction Alerts to detect suspicious activities early and contact your bank promptly.
- Install Security Solutions on all devices to identify phishing sites and malicious apps before they compromise sensitive data.
As hackers continue exploiting the vulnerabilities of digital payments, organizations and users must stay informed and vigilant.
While platforms like Apple Pay and Google Wallet provide convenience, they also require robust defense mechanisms to combat increasingly sophisticated fraud tactics.
Strengthening user awareness and improving security infrastructure remains central to safeguarding the financial ecosystem against this rising threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
