The rise of contactless payment It has simplified purchases in stores, on public transport, and in cafes: you just hold your card or phone up to the terminal and that's it. But that convenience coexists with an emerging threat, known as ghost touch, capable of generating charges in seconds without you noticing anything strange.
Recent investigations indicate that organized gangs rely on the NFC technology to intercept and resend transaction timecodes, transforming a system designed to be secure into one that fraud vector which goes unnoticed by the victim.
What is phantom touch and why is it a concern?
It is a technique that takes advantage of the emission of single-use tokens that validate contactless payments. Under normal conditions, this code expires almost instantly, but criminals have devised ways to capture and broadcast it in real time to another device to execute a purchase as if it were you.
The key to success is in the speed: The illicit transaction is completed before the token expires. They don't require stealing your card or touching your phone, and they don't require "hack" the system; exploit how devices communicate during payment authorization.
How scammers operate
Broadly speaking, experts have documented two recurring modalities that share the same objective: clone the payment context remotely so that another terminal can charge as if it had your card in front of it.
In-person modality: the lightning strike
In crowded spaces (queues, transport, bars), a member of the gang gets close enough to read the NFC token with a prepared device. It immediately sends it to a second mobile phone that is placed in front of a terminal and complete the purchase somewhere else.
It all happens in a matter of seconds and goes unnoticed: you keep your card and your phone, but the charge is recorded as if you had paid for proximity legitimately.
Remote mode: social engineering and fake apps
In this scheme, attackers call or write pretending to be bank staff to convince you to install a fraudulent application that supposedly “validates” your card.
When you bring the card closer to the mobile following its instructions, that app intercepts the NFC token and forwards it to the criminals' device, who then instantly exploit it at another payment terminal before it expires.
Scope and most affected countries
Analysis cited by cybersecurity firms indicates that Brazil accounts for about 47% of blocked attempts of this fraud worldwide, with a significant presence also in India, China and SpainThe rise in the use of proximity payments in the region has gone hand in hand with these types of attempts.
In addition, they circulate tutorials and videos on messaging channels where real transactions are displayed to attract potential criminals, promoting these tools as if they were "remote payment" solutions.
Most exposed devices and platforms
The remote vector especially affects users of Android, since the system allows software to be installed from outside official stores if the user authorizes it, which opens the door to malicious apps. In any case, all contactless cards or mobile phone with active NFC can be the target of the in-person modus operandi.
How to protect your money and cards
Although phantom touch relies on speed, there are simple measures that greatly reduce the risk and make it difficult to detect. token interception by third parties.
- Turn off the NFC on your mobile when you don't need it.
- Use wallets, cases or card holders with RFID/NFC blocking to prevent unwanted readings.
- Active transaction alerts at your bank and check your transactions frequently.
- Do not install apps outside of official stores and check the developer name.
- Be wary of calls or messages that ask for "validate" your card or tell you to install software.
- It has a safety solution capable of detecting and blocking malicious applications.
If you notice a charge you don't recognize, contact your financial entity to block payment methods, dispute the transaction and, if appropriate, file a complaint with the competent authorities.
Warning signs and behavior on networks
Be wary of content that promises "pay remotely" with other people's cards or show supposed demonstrations on real terminals: they are usually showcases to attract buyers of illicit tools and scammers in training.
It is also advisable to maintain a culture of prudence in crowded places: avoid exposing your card or mobile phone unnecessarily close to other devices and keep the contactless disabled if you are not going to pay.
The threat of phantom touch does not mean giving up on contactless: combining good practice, controls from your bank and responsible use of mobile phones, the risk is significantly reduced without losing the advantages of proximity payment.
