Redazione RHC : 30 June 2025 12:58
A new series of cyber attacks has been detected by ESET specialists, which sees the contactless payments sector with NFC technology as the protagonist. This type of attack was initially detected among bank customers in the Czech Republic, but is now rapidly expanding worldwide.
According to the latest ESET Threat Report for the first half of 2025, the number of NFC attacks has increased by 35 times compared to the end of 2024. The alarming increase demonstrates how quickly criminals are exploiting vulnerabilities in the technology behind contactless payments, which works by transmitting data over distances of just a few centimeters using radio signals.
As the NFC market continues to grow rapidly (it is expected to grow in size from $21.69 billion in 2024 to $30.55 billion by 2029), previously developed security mechanisms, such as encryption and tokenization, are starting to give way to sophisticated attackers.
ESET has highlighted that the new scheme combines traditional social engineering, Android malware and phishing techniques with a tool initially designed for university research, known as NFCGate. Students at the Technical University of Darmstadt originally created this project to safely test NFC technology, but it was quickly adopted by criminals under the name NGate.
The attack begins by sending SMS messages with phishing links to fake banking websites. These ask the victim to install a progressive web application (PWA), which bypasses app store checks and is installed without security warnings. After entering the login and password, the scammers gain access to the bank account and contact the victim by phone, pretending to be a bank employee. Under this pretext, the victim is tricked into installing the NGate malware, supposedly to protect the account.
This virus uses NFCGate to intercept credit card data when the victim holds it close to their smartphone. The information obtained allows the attackers to emulate the card on their device and make payments or withdraw cash without leaving a trace.
A variant of the attack, called Ghost Tap, also appeared later. In this case, stolen card data and one-time confirmation codes are linked to the attackers’ e-wallets, such as Apple Pay or Google Pay. This allows them to organize fraudulent mass transactions via contactless payments. As experts point out, such schemes can be implementedusing entire farms of Android devices, where compromised data is uploaded en masse.
Despite the high complexity of the attacks, users can significantly reduce the risk by taking simple precautions. ESET emphasizesthe importance of not clicking on suspicious links or installing applications from dubious sources. It is also recommended toset minimum limits for contactless payments and use protective cases or cards with RFID blocking function to prevent unauthorized reading of data.
Redazione