Cybercriminals are increasingly exploiting Near Field Communication (NFC) technology to conduct large-scale fraud at ATMs and Point-of-Sale (POS) terminals. According to Resecurity, Chinese underground networks have been linked to a surge in NFC-related fraud in Q1 2025, causing significant financial losses for banks and FinTech firms1. This article examines the technical methods behind these attacks, their evolution, and mitigation strategies.
Summary for CISOs
NFC relay attacks have evolved into a sophisticated threat, leveraging mobile malware, phishing, and relay tools to bypass contactless payment security. Key findings include:
- Ghost Tap Attacks (2024): NFCGate abuse enables transaction relay via proxy servers2.
- SuperCard X Malware (2025): Combines phishing with NFC data harvesting on Android devices3.
- ZNFC App Fraud (2025): Automated phishing kits load stolen card data into NFC-enabled devices4.
Technical Analysis of NFC Exploits
The NFCGate tool, an open-source NFC relay, has been weaponized to bypass contactless payment security. Attackers deploy mobile malware (e.g., overlay attacks) to steal card details and one-time passwords (OTPs). These details are loaded into attacker-controlled digital wallets (Apple Pay/Google Pay), and NFCGate relays transaction data to money mules via proxy servers2. This method masks transaction origins by simulating legitimate “tap” events, making detection challenging.
In April 2025, SuperCard X emerged as a Malware-as-a-Service (MaaS) offering in Chinese underground markets. Victims are tricked into installing malware disguised as a security app, which harvests NFC data via compromised Android devices. The malware uses mutual TLS for command-and-control (C2) communication, evading traditional detection mechanisms3.
Historical Context and Emerging Trends
NFC-based ATM exploits are not new. In 2016, Russian hackers used smartphones to deploy malware on Wincor Nixdorf ATMs in Taiwan, stealing $2.2 million via wireless exploits5. By 2024, ESET documented NGate malware stealing NFC data from Czech banks through phishing campaigns6.
Recent trends include AI-driven fraud, such as deepfake voice phishing to bypass multi-factor authentication (MFA)7. Despite blockchain’s security benefits, weak passwords remain a vulnerability in NFC payment systems8.
Mitigation Strategies
To counter NFC relay attacks, financial institutions should:
- Monitor latency anomalies and geolocation mismatches in transactions2.
- Implement runtime application shielding (RASP) to detect mobile malware.
- Disable unused ports (USB/Wireless) on ATMs and enforce firmware updates.
Conclusion
NFC relay attacks represent a growing threat to contactless payment systems. Cybercriminals continue to refine their tactics, blending phishing, malware, and relay tools to exploit vulnerabilities. Financial institutions must adopt layered defenses, including AI-driven anomaly detection and geolocation validation, to mitigate risks.
References
- “Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals,” GBHackers, 2025.
- “Ghost Tap: Hackers Exploiting NFCGate to Bypass Contactless Payment Security,” The Hacker News, Nov. 2024.
- “Hackers Hijack NFC for Instant Payment Fraud,” GovInfoSecurity, Apr. 2025.
- “Ghost Taps and Stolen Cash: Hackers Turn Apps into ATM Machines,” Verimatrix, Mar. 2025.
- “Russian Hackers Use Smartphones to Steal $2.2M from Taiwanese ATMs,” The Register, Jul. 2016.
- “Android Malware Steals NFC Card Data in Czech Banks,” Infosecurity Magazine, 2024.
- “AI-Driven Fraud: Deepfake Voice Phishing Bypasses MFA,” The Hacker News, Apr. 2025.
- “Blockchain Security Benefits vs. Weak Password Risks,” The Hacker News, Apr. 2025.
