Copyright WDIV ClickOnDetroit
DETROIT – What is the “ghost tapping” scam that targets people using the tap-to-pay option with their credit cards? It’s a new way that thieves are trying to steal credit card information, and it’s so dangerous because it doesn’t require any physical contact. Tap-to-pay has become one of the most popular ways for people to pay at stores, gas stations, and restaurants. You don’t have to insert or swipe your card -- you just put it up to the reader. But thieves are trying to take advantage of that convenience through “ghost tapping” and “ghost charges.” How does ghost tapping scam work? Ghost tapping targets tap-to-pay credit and debit cards, as well as mobile wallets, by exploiting Near Field Communication (NFC). NFC allows devices to share information when they are very close, usually within a few millimeters. Thieves use devices like Flipper Zero, a multi-functional tool originally designed for testing access control systems, to secretly read card data. Tracey Birkenhauer, co-owner and principal impact officer at STACK Cybersecurity in Livonia, explained that Flipper devices act like remote controls that can open garage doors, control electronics, and test security systems. However, these devices can also be used to steal card information. Amazon banned sales of Flipper Zero in 2023, calling it a “card skimming device,” but STACK Cybersecurity said its capabilities go beyond that. How thieves capture card data with Flipper Zero “It could be just a simple tap of a card, and it will steal all the card information,” said Rob Moore, director of service and delivery at STACK Cybersecurity. The device works by detecting wireless frequencies, including the 2.4 GHz band, to scan networks and capture data. Xzavier Spalsbury, a cybersecurity expert, demonstrated how the device can scan nearby wireless networks, connect to internal networks, and run scripts to capture wireless protocols used for network authentication. Most importantly, the device can read Radio Frequency Identification (RFID) and NFC cards, which are commonly used in credit cards and access badges. This means thieves can capture card data simply by being close enough to the victim -- often in crowded places where bumping into someone is common. How to protect yourself from ghost tapping “If we’re in crowded spaces, we need to be extremely careful because that’s one of the main ways people might do something like bump into you,” said Nakia Mills from the Better Business Bureau. Once the device reads the card’s wireless signal, it can capture sensitive information without the victim’s knowledge. The stolen data can then be used for fraudulent purchases or even identity theft. The Better Business Bureau recommends avoiding tap payments when possible, using RFID-blocking wallets or sleeves, and regularly monitoring bank and credit card statements for suspicious activity. “People just need to be really careful. This seems to be a newer way with this modern age,” Mills said. The BBB has not yet received reports from Michigan, but cautions that many victims may not realize they have been targeted. The company behind Flipper Zero said the device is intended for educational and security testing purposes. In a statement to Local 4, the company wrote in part: “While the Flipper Zero can read NFC and RFID cards, it cannot decode the card’s encrypted security code used on credit and debit cards, so they can’t be cloned.” Still, experts demonstrated that while some items like work badges may have protections, many cards and key fobs remain vulnerable to ghost tapping. At STACK Cybersecurity, Moore demonstrated the device on a work badge and house keys, showing that while some items may be protected, others are vulnerable. He noted that RFID-blocking wallets can protect by creating a barrier that prevents the device from reading card data. Birkenhauer urged organizations and individuals to take both physical and cybersecurity seriously as attacks like ghost tapping become more sophisticated. “This is a homeland security issue. Everyone needs to be concerned about it,” Birkenhauer said. With the holiday season approaching and more crowded spaces, experts warn that ghost tapping scams could become more common, making awareness and prevention critical.
