This ghost tapping scam can steal money from your mobile wallet or card – how to block it

Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Ghost tapping tries to exploit tap-to-pay to steal your money.
• The scammer targets physical payment cards and mobile wallets.
• The scam can be hard to pull off, but scammers persist.

Tapping to pay for an item using your phone’s mobile wallet is a quick and convenient way to make a purchase. However, despite the convenience, or perhaps because of it, there is some potential risk associated with the process. One type of scam that’s been getting a lot of coverage lately is ghost tapping. A criminal — or even a dishonest or fake vendor — can exploit the tap-to-pay technology to charge your credit card or payment method without your awareness.

How this scam works

“Ghost tapping refers to attempts by criminals to trigger an unauthorized contactless payment without the victim’s knowledge,” Shane Barney, chief information security officer for Keeper Security, told ZDNET. “Tap-to-pay uses Near Field Communication (NFC), which requires very close proximity to the card or device. While this technology is inherently secure, attackers try to exploit moments when people are distracted, such as in crowded public areas.”

Also: 11 ways to delete or hide yourself from the internet – and protect your privacy

Ghost tapping scams can target mobile wallets such as Apple Wallet and Google Wallet, as well as tap-to-pay credit and debit cards. Typically, this technology provides a convenient way to purchase a wide range of items, from transit tickets to groceries, gas, and clothing. Many small business owners and vendors use portable tap-to-pay readers, making it easy to buy items through your phone or credit card.

A ghost tapping scam typically involves three steps, Barney explained.

1. Getting near the victim: Armed with an NFC reader, the scammer gets extremely close to the intended victim, sometimes bumping into them or standing pressed against them in a crowded area. Obtaining an NFC reader is the easy part, as you can buy one from any online retailer.
2. Triggering a transaction: If the victim’s payment card is loose in a bag or pocket and not shielded, the scammer could use the reader to try to initiate a tap-to-pay transaction.
3. Processing the charge: Even if they review their transactions, the victims may not notice the charge, especially if the scammer keeps the amount low.

How difficult is it to pull off this type of scam? The actual execution is the tough part, according to Barney. The scammer has to stay close enough to the victim to initiate a response from the card without being noticed. That’s why these scams often occur in crowded areas or in settings where the attacker can pose as a legitimate vendor.

Though both physical payment cards and mobile phones can be targeted, modern security methods are designed to prevent attackers from stealing sensitive payment information. Today’s EMV (Europay, Mastercard, and Visa) contactless payment cards guard against the theft of card numbers, CVV codes, and other data.

Smartphones are even more secure than physical payment cards. Apple Wallet and Google Wallet include device-level biometrics for authentication, store tokens instead of card numbers, and rely on security built into the hardware. Because a transaction requires Face ID, Touch ID, or a PIN, ghost tapping a smartphone is effectively impossible, Barney said.

Beware the fake vendor

Drive-by NFC theft is more challenging to execute than many people assume, and the available data is limited. However, attackers continue because the entry point is so low. Still, if the challenges are high, why is ghost tapping a threat? Well, an attacker doesn’t need to sneak next to you to pull off the scam, not when social engineering works so well.

Also: How to remove your personal info from Google Search – it’s quick and easy

“Successful scams often rely on social engineering rather than true wireless theft,” Barney said. “The most effective method criminals use is posing as a legitimate vendor, such as at a pop-up booth or street kiosk, and convincing someone to tap their card on a fraudulent reader. In those scenarios, the victim authorizes the charge because the attacker has created a believable physical environment.”

In a recent scam alert, the Better Business Bureau (BBB) revealed some of the tricks that scammers use to run a ghost tapping scam, how to watch out for them, and how to protect yourself.

Here are some signs of a possible scam:

• Getting close to you in crowded, public places. The scammer could bump into you while surreptitiously charging your tap-enabled phone or credit card.
• An unscrupulous or phony vendor who sells you something. Tap-to-pay is a popular payment method at flea markets, festivals, conventions, and other gatherings. But with so much activity, a scammer could sneak in to set up a table or booth and charge you an exorbitant amount for an item that may or may not be legitimate.
• Charity scams. A person who claims to be accepting donations for a charity could charge your card or mobile wallet a much higher amount than you expect.
• Rushing the process. Scammers count on you being in a hurry or getting distracted. In that case, you may approve the transaction without verifying the business name or the amount being charged.

How can you tell if you’re about to be scammed or have already been scammed? Here are three tip-offs.

• Bank alerts that show small charges. Scammers will sometimes test the waters by charging you a small amount to see if it works. If so, they can expand to larger amounts.
• No confirmation of the amount charged. Be wary if a retailer charges you by tap-to-pay but doesn’t want to show you the total or offer a receipt.
• Suspicious charges. Watch out for suspicious charges after being in a crowded area such as a flea market, festival, or transit station.

5 ways to protect yourself

Ultimately, how can you protect yourself against ghost tapping? Here are a few suggestions from the BBB.

1. Use RFID protection. When you’re not using your phone, keep it in an RFID-blocking wallet or sleeve to prevent the NFC signal from reaching it.
2. Confirm payment details. Before tapping your phone or card, check the seller’s name and the amount displayed on the reader’s screen.
3. Set up transaction alerts. Sign up with your bank to receive real-time notifications for every charge you receive.
4. Scrutinize your bank and credit accounts. Review your bank and credit card charges to look for any signs of fraud.
5. Limit your use of tap-to-pay. If you’re wary of using tap-to-pay in an unusual or potentially high-risk scenario, consider swiping or inserting your credit card instead.