ESET Warns Cybercriminals Are Targeting NFC Data for Contactless Payments

ESET researchers have uncovered a sophisticated attack vector exploiting Near Field Communication (NFC) data, initially targeting Czech banking customers but now spreading worldwide.

According to the ESET Threat Report H1 2025, the incidence of NFC-related attacks has skyrocketed, with telemetry data showing a staggering 35-fold increase in the first half of 2025 compared to the latter half of 2024.

This alarming trend underscores the growing interest of cybercriminals in exploiting NFC technology, which powers contactless payments through short-range wireless communication using radio waves, effective only within a few centimeters.

A Surge in NFC-Based Attacks Globally

As the global NFC market is projected to expand from $21.69 billion in 2024 to $30.55 billion by 2029, driven by smartphone penetration and the shift to cashless transactions, the technology’s inherent security features like encryption and tokenization are being challenged by innovative malicious tactics.

The attack methodology, as detailed by ESET, integrates traditional cyber threats such as social engineering, phishing, and Android malware with a tool originally designed for research purposes called NFCGate.

Developed by students at the Secure Mobile Networking Lab of the Technical University of Darmstadt, NFCGate was intended to relay NFC data between devices for legitimate study.

However, cybercriminals have repurposed it into a malicious framework dubbed NGate.

From Research Tool to Cybercrime Weapon

The attack begins with phishing SMS messages luring victims to fake banking websites via links to progressive web apps (PWAs), which bypass app store vetting and install without triggering third-party warnings.

Once victims input their credentials, attackers gain account access and escalate the scam by posing as bank representatives over the phone, convincing users to download the NGate malware under the guise of securing their accounts.

This malware exploits NFCGate to capture card data when victims place their cards near their smartphones, enabling attackers to emulate the card on their devices for unauthorized transactions or cash withdrawals without leaving a direct trace.

Furthermore, a derivative tactic named Ghost Tap has emerged, where stolen card details and one-time passcodes are registered in attackers’ digital wallets like Apple or Google Pay, facilitating large-scale fraudulent contactless payments globally, potentially through farms of Android devices loaded with compromised data.

Despite the sophistication of these attacks, ESET emphasizes that users are not defenseless. Vigilance against phishing attempts remains critical, as these scams rely on deceiving users into sharing sensitive information or installing malicious apps.

Setting low limits on contactless payment transactions and using RFID blockers to shield card data from unauthorized scans are practical steps to mitigate risks.

Additionally, deploying robust cybersecurity solutions like ESET HOME Security, which includes features such as 24/7 Android antivirus scanning, anti-phishing protection, payment app safeguarding, and security audits for app permissions, can thwart attacks at multiple stages.

As contactless payments continue to offer unmatched convenience, ESET urges users to stay informed and secure their devices rather than reverting to cash, ensuring that technological advancements are not overshadowed by cybercriminal ingenuity.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates