We’ve all been in this situation: Running around during the holidays, grabbing gifts at the first stores you find with the shortest lines. Amid the rush, you run up a list of credit card charges from places you don’t recall visiting and things you don’t remember buying.
Unfortunately, this is exactly the situation where thieves are thriving, and it’s the context surrounding an emerging cyber threat facing consumers that companies including financial institutions, retailers and payment providers should be aware of.
Around the globe, thieves are using “ghost tapping” to steal from consumers. The method is as fast and easy to use as tap-to-pay on mobile devices, largely because it literally uses the exact same technology. The worst part? Thieves only need to be within arm’s reach to steal personal financial information their victims did not even realize was exposed.
Ahead of this holiday shopping season, let’s take a minute to explore ghost tapping, its impact on consumers, and what companies can do to safeguard their customers from this threat.
Ghost tapping exploits Near Field Communication (NFC) technology used in mobile wallets, allowing fraudsters to make unauthorized transactions without physically touching the victim’s card or device. People use NFC technology every day, from tap-to-pay transactions to concert e-ticket scans to digital public transport cards.
Ghost tapping happens when NFC traffic containing payment card information is relayed from a victim’s device to a payment terminal. Cybercriminals load a small charge (e.g., $1–$100) onto a portable payment terminal and then physically bump or get close to a victim in crowded places such as subways, elevators, or busy retail stores.
If the victim’s card or phone is unlocked and NFC is enabled, the transaction can be processed instantly and discreetly, especially if the charge is small and notifications are turned off. All of this means that a cybercriminal can steal credit card and personal information without any direct physical interaction. Unlike the card scams of previous years, this method executes a full transaction, delivering cash directly to an account controlled by the thief, kind of like a virtual pickpocket.
If left unaddressed, ghost tapping poses significant risks to retail businesses, financial institutions, payments providers, and of course consumers.
Trust is fundamental to consumer behavior. If customers don’t trust their payment method is secure, they are likely to avoid the places they see as high risk. If challenges continue, they may even move away from a specific payment method or application altogether. People want to purchase in a way that protects their personal data. Trust is everything.
That’s why it’s important for businesses and financial institutions to take ghost tapping seriously and follow a few simple steps:
And for consumers, try to do some of the following to protect yourself:
This holiday season, as customers flock to stores and work through shopping lists, businesses should do everything they can to ensure customers are in safe and secure environments that are free from threats like ghost tapping.
Cybercriminals are constantly creating new ways to exploit technology like generative AI and NFC for their own gain. In this environment, organizations must modernize their cybersecurity strategies, toolsets and tactics to stay ahead of these threats. However, responsibility for protecting against these risks also lies with consumers themselves. We all need to be more conscious of risk and make ourselves the hardest targets possible for thieves to steal from.
