We’ve all been in this situation: Running around during the holidays, grabbing gifts at the first stores you find with the shortest lines. Amid the rush, you run up a list of credit card charges from places you don’t recall visiting and things you don’t remember buying.
Unfortunately, this is exactly the situation where thieves are thriving, and it’s the context surrounding an emerging cyber threat facing consumers that companies including financial institutions, retailers and payment providers should be aware of.
Around the globe, thieves are using “ghost tapping” to steal from consumers. The method is as fast and easy to use as tap-to-pay on mobile devices, largely because it literally uses the exact same technology. The worst part? Thieves only need to be within arm’s reach to steal personal financial information their victims did not even realize was exposed.
Indeed, ghost tapping is the newest evolution of longstanding card scam fraud. And this technique pays. Within a recent three-month window, scammers in Singapore used this method to steal nearly a million dollars from victims.
Ahead of this holiday shopping season, let’s take a minute to explore ghost tapping, its impact on consumers, and what companies can do to safeguard their customers from this threat.
What is ghost tapping?
Ghost tapping exploits Near Field Communication (NFC) technology used in mobile wallets, allowing fraudsters to make unauthorized transactions without physically touching the victim’s card or device. People use NFC technology every day, from tap-to-pay transactions to concert e-ticket scans to digital public transport cards.
Ghost tapping happens when NFC traffic containing payment card information is relayed from a victim’s device to a payment terminal. Cybercriminals load a small charge (e.g., $1–$100) onto a portable payment terminal and then physically bump or get close to a victim in crowded places such as subways, elevators, or busy retail stores.
If the victim’s card or phone is unlocked and NFC is enabled, the transaction can be processed instantly and discreetly, especially if the charge is small and notifications are turned off. All of this means that a cybercriminal can steal credit card and personal information without any direct physical interaction. Unlike the card scams of previous years, this method executes a full transaction, delivering cash directly to an account controlled by the thief, kind of like a virtual pickpocket.
Why is this threat important for businesses to address?
If left unaddressed, ghost tapping poses significant risks to retail businesses, financial institutions, payments providers, and of course consumers.
Trust is fundamental to consumer behavior. If customers don’t trust their payment method is secure, they are likely to avoid the places they see as high risk. If challenges continue, they may even move away from a specific payment method or application altogether. People want to purchase in a way that protects their personal data. Trust is everything.
That’s why it’s important for businesses and financial institutions to take ghost tapping seriously and follow a few simple steps:
- Enhance cybersecurity measures: Default stricter authentication processes when adding cards to mobile wallets for consumers.
- Monitor transactions: Regularly review transactions for suspicious activity, especially those involving geographically distant locations within a short timeframe, to catch the transactions before they disappear into thin air.
- Educate customers: Inform consumers about the risks of ghost tapping and how to protect themselves, such as regularly monitoring their account activity.
And for consumers, try to do some of the following to protect yourself:
- Use an RFID wallet to protect from NFC skimming of credit cards in wallets.
- Set up transaction alerts for charges.
- Monitor accounts for suspicious activity and report it immediately. This can usually be done right in your banking or credit card app.
- If not in use, turn off tap-to-pay and mobile wallet capabilities, or require a PIN or biometric authentication before processing any mobile wallet transaction.
Ghost tapping is just one of many attack vectors
This holiday season, as customers flock to stores and work through shopping lists, businesses should do everything they can to ensure customers are in safe and secure environments that are free from threats like ghost tapping.
More than that, we all need to recognize the critical new reality of cybercrime and fraud: emerging technologies are aiding attacks as rapidly as they are helping to counter them. Beyond ghost tapping, cybersecurity teams are seeing a spike in mobile fraud methods that leverage social engineering and rogue apps to fool users into disclosing credit card and banking data.
Cybercriminals are constantly creating new ways to exploit technology like generative AI and NFC for their own gain. In this environment, organizations must modernize their cybersecurity strategies, toolsets and tactics to stay ahead of these threats. However, responsibility for protecting against these risks also lies with consumers themselves. We all need to be more conscious of risk and make ourselves the hardest targets possible for thieves to steal from.