Although the safety of payment card It is constantly improving, the skeptics continue to find new ways to steal money.
In the past, cybercriminals, after deceiving the victim to give them the details of his card through a fake online store or some other fraud, then created a natural copy of the card, “writing” the stolen data in a magnetic film.
So they could shop in stores, but even withdraw from ATMs without a problem. Although creating chip cards and disposable codes (OTP) made the life of rogues much more difficult, they managed to adapt.
The shift to mobile payments has reinforced the resilience to certain types of fraud, but also created new opportunities for the scammers, who, after stealing the number of a card, are now trying to connect it to their own Apple Pay or Google Wallet account.
After doing so, they then use the account from their smartphone to make payments with the victim’s card – in regular stores or even in fake NFC outlets.
How are card details steal
Such cyberattacks require high -scale preparation. The sophistication create fake website networks designed to steal payment information. These websites may mimic delivery services, big online storeseven platforms for payment of accounts or traffic fines. Cybercriminals also buy dozens of smartphones, create Apple or Google accounts on them, and install intuitive payment applications.
The “zoom” is next: when the victim is directed to a false website, he is asked to connect his card or make a small payment. This requires registration of card details and confirming the card possession through an OTP. In fact, however, the card is not charged at that time.
What exactly is going on? The victim’s data is almost directly transferred to cybercrime, who are trying to connect the card to the mobile Wallet to their smartphone. OTP code is required to authorize this procedure. To accelerate and simplify it, the skeptics use special software that draws the data and creates a perfect virtual copy of the card. It is enough then to take a photo of this image from Apple Pay or Google Wallet. The exact process of connecting a card to a digital wallet depends on the country and the bank, but usually no other data is required other than the card number, the expiry date, the name of the card holder, the CVV/CVC and the OTP. All of this can be dumped in a single effort and be used immediately.
To make their attacks even more effective, cybercriminals use other tricks. For a start, even if the victim realizes the risk before the submission button is pressed, any data has already been recorded in the forms is transferred to the criminals – even if they are a few characters or unfinished entry. Secondly, the false website may report that the payment has failed and ask the victim to try with a different card. In this way, criminals can steal the elements of two or three cards in a single attempt.
The cards are not charged immediately, and many people, seeing that there is nothing suspicious in their banking statement, forget the incident.
How is the money deducted from the cards
Cybercriminals can connect dozens of cards to a smartphone without trying immediately to spend money on them. This smartphone, which is filled with card numbersthen sold on the dark internet. It may often take weeks or even months between data spying and their actual use. But when the unpleasant day arrives, criminals may decide to spend money on luxury items in a physical store by simply making a intact payment from a phone with stolen card data.
Alternatively, they can create their own fake store on a legal e -commerce platform and make charges for non -existent products. Some countries even allow ATM cash withdrawals using NFC smartphone. In all the above cases, no PIN or OTP confirmation is required, so the money can be deducted until the victim blocking his card.
To accelerate the transfer of digital wallets to hidden buyers, as well as to reduce the risk for those who make payments to stores, the attackers have begun to use a NFC Relay technique called Ghost Tap. Specifically, they initially install a legal application such as NFCGate on two smartphones – one with mobile wallet and stolen cards, while the other is used directly for payments. This application transmits, in real time via the internet, the NFC data of the first phone from the first phone to the second NFC receiver, which the criminals’ partner (known as “Mule”) places at the payment point.
Most of the payable points in offline stores and lots of ATMs can not distinguish the authentic signal, allowing the “partner” to easily make payments for goods (or gift cards, which facilitate the legalization of stolen money). If the “partner” is arrested in the store, there is nothing aggravating on the smartphone, except for the legal application of NFCGate. There are no stolen card numbers, as they are stored on the smartphone of the “brain” of the business, which can be located anywhere, even in another country. This method allows fraudsters to quickly and safely redeem large amounts, because it is possible for many “partners” to pay almost simultaneously with the same stolen card.
How can you lose money by touching your card on your phone
At the end of 2024, the scammers made a new variant of the NFC Relay and successfully tasted it to users from Russia, and there is nothing that prevents the expansion of this campaign worldwide. In this case, the victims are not even invited to provide their card details. Instead, with social engineering tactics, their attackers persuade to install a supposedly useful application on their smartphone, pretending to be a government, banking or other service. Since many such banking and government applications in Russia have been removed from official stores due to sanctions, unsuspecting users easily consent to their establishment. The victim is then called upon to place his card on the smartphone and enter his PIN for “Authorization” or “Verification” purposes.
As it is obvious, the installed application has nothing to do with its description. In the first wave of these attacks, the victims received the NFC Relay, which presented them as a “useful application”. The app read the card when they placed it on the smartphone and transmitted its data along with the PIN to the attackers, who used it to shop or make cash withdrawals with NFC support. The anti -Russian banks’ fraud systems quickly learned to detect such payments due to differences in the victim’s geographical location of the victim and payer, so in 2025 this method changed, but not its essence.
The victim is now receiving an application to create a copy of the card, while the NFC Relay is installed by the attackers. Then, citing the risk of theft, the attackers persuade the victim to deposit money into a “safe account” via ATM, using his smartphone to authorize the payment. When the victim touches his phone on the ATM, the fraudster transfers his own card information to it, and the money ends up in his account. Such actions are difficult to detect from automatic anti -fraud systems, as the transaction appears perfectly legal – that is, someone just went to an ATM and deposited money on a card. The anti -fraud system does not know that the card belongs to someone else.
How to protect your cards from scammers
First of all, Google and Apple, along with payment systems, should implement additional protective measures in the payment infrastructure. However, users can also take steps to protect their cards:
- Use virtual cards for online payments. Do not keep large sums of money in them and refresh them only before making an online purchase. If the card issuer allows it, turn off offline payments and cash withdrawals from these cards.
- At least once a year, replace your virtual card with a new one and block the old one.
- For offline payments, connect a different card to Apple Pay, Google Wallet or similar services. Never use this card online and, if possible, use Mobile Wallet on your smartphone when you pay in stores.
- Be very careful with applications asking you to have the payment card on your smartphone, let alone enter your PIN. If it is a well -known and reliable banking application, then there is no problem, but if it is something suspicious that you have just installed a link outside the official App Store, avoid it.
- Use plastic cards on ATMs and not NFC smartphone.
- Install a Integrated Security Solution On all computers and smartphones to reduce the risk of being on phishing websites or install malicious applications.
- Enable Safe Money feature, which is available in all security solutionsTo protect your financial transactions and online purchases.
Turn on the most direct trading notifications (via message or push) for all your payment cards and contact your card or publisher immediately if you notice something suspicious.