Detecting NFC Relay and Ghost Tap Attacks Using Metadata and Real-Time Rules

As contactless payments become ubiquitous, fraudsters are evolving new tactics to exploit them. A Near Field Communication (NFC) relay attack is one such threat. It intercepts and relays the communication between a contactless card (or phone) and a payment terminal over a longer distance. In simple terms, an attacker uses a proxy device to “extend” the range of the victim’s card. For example, a card in your pocket could be surreptitiously activated by a rogue reader and its signal relayed in real-time to another device across town, which then completes a purchase as if your card was present.

A “Ghost Tap” attack is a specialized form of NFC relay attack that criminals are using to fake contactless transactions via cloned or proxied signals. First observed in late 2024, Ghost Tap (as dubbed by ThreatFabric researchers) allows crooks to cash out stolen cards linked to mobile wallets (like Apple Pay or Google Pay) by relaying NFC payment data to a distant point-of-sale. In these schemes, hackers obtain a victim’s card credentials and one-time password, add the card to their own digital wallet, and then use a relay of two smartphones to make purchases anywhere, even continents away without the physical card or phone present. This threat is on the rise, with banks and fintechs reporting a wave of NFC-based fraud in recent months. It bridges the gap between card-present and card-on-file ecosystems, turning stolen digital card data into fraudulent in-person transactions.

How These Attacks Work in Practice

In a Ghost Tap scenario, the fraud unfolds in multiple stages. Often the attackers begin by stealing the card details and any required OTP (one-time password) to enroll the card into a mobile wallet. This is accomplished via malware on the victim’s phone (capturing card data and SMS codes) or phishing scams. Once the card is provisioned on the attacker’s device, they avoid using it directly (which could tie the device to the crime). Instead, they set up a relay: using a tool like NFCGate, the attacker’s phone (holding the stolen card token) acts as an NFC reader and sends the tap-to-pay signal over the internet to a second device held by a “money mule”. The mule’s phone, running the same tool, emulates the victim’s card to a store’s POS terminal, effectively spoofing a legitimate tap at the checkout.

Several attack variations have been observed in practice: point-of-sale spoofing can involve fake or tampered merchant terminals set up by fraudsters to route transactions remotely. In some cases, organized rings have even registered fraudulent merchant POS devices under mule identities, so that transactions from stolen cards appear as normal retail sales. Another angle is stolen token replay, as in Ghost Tap, criminals leverage the tokenized card data from mobile wallets. They might rapidly purchase easily resellable goods (e.g. gift cards, electronics) at multiple stores using the same stolen token, before the issuer blocks it. Attackers have also manipulated ATM or POS software (such as with the Track2NFC exploit) to force offline approvals, though these techniques are more complex.

On the surface, these relay/ghost attacks can look just like ordinary contactless transactions, which is what makes them so insidious. The payment requests carry valid credentials (the victim’s card token) and often pass cryptographic checks. To the bank’s systems, it appears the rightful cardholder’s device made a normal tap payment. Ghost Tap operations intentionally keep each transaction small and routine-looking, sometimes using many under-the-radar purchases to avoid tripping velocity or amount thresholds. The use of globally dispersed accomplices means the fraud doesn’t have a single location fingerprint. In short, a Ghost Tap transaction is designed to blend in with legitimate taps, making detection challenging without deeper contextual signals.

Metadata Signals That Can Reveal Fraud

While ghost taps aim to masquerade as normal payments, a good fraud system can uncover subtle inconsistencies. Key metadata signals to monitor include:

• POS Entry Mode: Every card transaction includes an entry mode code (how the card data was obtained: EMV chip, contactless, magstripe, e-commerce, etc.). If a payment is flagged as contactless (e.g. code 07 or 91 for NFC) when the account isn’t known to use contactless, that’s suspicious. Issuers should verify that the entry mode aligns with the issuer-approved transaction methods and expected usage channels (for example, declining a contactless-MSD transaction on an EMV-only card). Inconsistencies here, like a supposed chip transaction that actually came through magstripe data can reveal relay misuse or skimming.
• Device ID or Fingerprint: In digital wallet scenarios, the card is tied to a device identifier (e.g. a device account number or wallet ID). If a transaction originates from an unfamiliar device or a device not previously seen for that card or user, it’s a red flag. For instance, a card suddenly being used via a new phone could indicate an attacker loaded the card onto their phone. Tracking device fingerprints in your transaction logs and comparing against the customer’s known devices can expose when a “ghost” device is in play.
• IP Address and Geolocation Mismatch: Even card-present transactions can carry network metadata. When available, compare the transaction’s apparent location (merchant location or device IP geolocation) to the expected location of the customer or their device. A stark mismatch, say the tap is at a merchant in London but the cardholder’s phone (or app login) is usually in Berlin, could indicate a relay attack. Similarly, a transaction piped through an unusual IP (proxy/VPN or an IP from a high-risk region) should raise eyebrows. Geolocation analysis is a proven anti-fraud tool: if the device’s current location doesn’t line up with the cardholder’s known addresses or recent locations, the transaction may not be legitimate.
• Merchant Category or Velocity Anomalies: Behavioral context around the merchant can be revealing. Merchant tags (industry, risk level, typical transaction pattern) are useful for risk scoring. If a usually low-ticket, low-frequency merchant suddenly processes a rapid series of tap payments on the same card, it could be a compromised POS or a mule scenario. Likewise, multiple back-to-back transactions at different merchants in a short span, all on the same card, often signal fraud. Fraudsters tend to “burst” activity to maximize value before detection, so velocity rules (e.g. X taps in Y minutes) are critical. An abnormal spike in transaction count or value, especially at odd times of day or at merchants the user seldom frequents – can reveal a ghost tap spree in action.
• Time-of-Day and Session Context: Analyze when and how the transaction occurred relative to the customer’s normal behavior. Ghost tap cash-outs might cluster in off-hours or right after the card was added to a wallet. If a card that has never been used at 2 AM suddenly sees several tap payments around that time, that temporal anomaly strengthens the fraud suspicion. Combine this with session data if available: was the legitimate cardholder’s mobile banking app active or was their phone on airplane mode during the transaction? (In Ghost Tap cases, the attacker’s device might be in airplane mode while relaying the NFC data, making the actual cardholder’s device location unknown.) Timing and device status clues can augment your rules, for example, flagging if a contactless transaction occurs when the customer’s device had no network connectivity, implying it couldn’t have actually been at the POS.

Each of these signals alone provides a piece of the picture. When correlated, they can expose the “ghost in the machine”, the subtle fraud that hides within normal-looking taps.

How Flagright Detects It

Flagright is designed to catch exactly these kinds of sophisticated attacks by leveraging real-time metadata and a powerful rules engine. One major capability is IP and device intelligence: the platform automatically resolves IP addresses to geolocations and tags devices with reputational data. This means if a transaction comes in from an unexpected region or via an anonymizing service, Flagright will note the discrepancy. For example, if a supposedly in-store NFC transaction from a German merchant actually routes through an IP in another country, that inconsistency can be flagged immediately (since legitimate contactless taps at a POS should originate from the local network). By linking device identifiers, geolocation, and transaction details, the system builds context on what “normal” looks like for each customer and merchant, making anomalies stand out.

Under the hood, Flagright’s no-code rules engine empowers fraud teams to combine these metadata signals into precise detection logic. The rules engine supports everything from simple threshold checks to regex-based pattern matching on data fields. Teams can build rules that parse transaction metadata (like checking if the POS entry mode matches “contactless”) and cross-compare multiple attributes in real time. In practice, Flagright allows layering dynamic filters and conditions, e.g. transaction type is NFC, device not seen before, and country differs from expected – to isolate risky behavior with surgical accuracy. This layered approach means multiple soft signals can be combined into a composite risk score or alert trigger. Rather than relying on a single indicator, Flagright can require that several anomalies align before flagging, which improves precision (catching more fraud with fewer false positives). Rules are fully customizable based on transaction types, time windows, customer profiles, geographies, and more, so you can adapt quickly as fraud patterns evolve. Crucially, all of this happens in real time – the moment a transaction comes through, it’s evaluated against these rules and can be automatically blocked or flagged for review if it matches a ghost tap pattern.

By continuously monitoring granular metadata and applying real-time rules, Flagright’s platform can detect even stealthy NFC relay attacks that would slip past superficial checks. Suspicious patterns (a card suddenly used on a new device, rapid-fire taps across distant locales, etc.) are instantly scored and surfaced to fraud analysts. This proactive stance ensures that fraudulent transactions are stopped or investigated before they result in large losses – even when the fraud attempts look superficially legitimate.

Example Rule Logic

To illustrate, here are a couple of simplified rule examples combining multiple metadata conditions:

• Rule 1: If transaction.entry_mode == "NFC" AND transaction.device_ID not in customer’s known device history AND IP_country != merchant_country → Flag for Review.
• Rationale: This rule catches cases where a contactless tap comes from an unknown device and a network location mismatch, a strong indicator of an NFC relay or cloned device scenario. (A genuine card tap at a store would normally use a familiar device/token and local network. A divergence suggests a proxy in play.)
• Rule 2: If merchant_ID is in the list of “low-velocity merchants” AND the card sees 5+ transactions in 10 minutes at that merchant → Flag for Review.
• Rationale: Even small ghost tap purchases leave a pattern, fraudsters often run numerous transactions in quick succession to maximize stolen card usage before being caught. Many brick-and-mortar merchants (especially for high-value goods or services) would never see the same card tapped repeatedly in a short span. This rule spotlights an unusual burst of activity at a merchant that typically wouldn’t have rapid repeat swipes, which could mean a mule is testing or cashing out a stolen token.

These are just examples. In practice, effective rules can get quite granular, factoring in time-of-day (e.g. blocking late-night rapid taps), cardholder travel status, prior fraud alerts on the device, and so on. The key is that multiple weak signals, when combined, form a strong fraud indicator. Flagright’s engine makes it easy to implement such complex rules and even simulate their impact before deploying them, so fraud teams can fine-tune detection without disrupting normal customers.

Conclusion: Real-Time Metadata Matters

NFC relay and ghost tap attacks underscore that fraud prevention must look beyond surface transaction data. When transactions “look” normal to basic checks, it’s the context and metadata that reveal the truth. By rapidly analyzing attributes like entry mode, device identity, location, and behavioral patterns, financial institutions can expose schemes that would otherwise fly under the radar. Importantly, this needs to happen in real time – stopping the fraud as it happens. Ghost Tap attackers operate at internet speed and global scale; only an equally fast, data-driven defense can counter them. The impact is significant: without advanced detection models and robust rules, these anonymous, scalable fraud methods present major challenges for banks and payment providers.

The good news is that with the right tools, we can fight back. A modern fraud system like Flagright’s combines deep metadata insight with agile rule-building to catch relay attacks in their tracks. It enables teams to model attack paths (like the ghost tap modus operandi) and set up tripwires for each telltale sign. The result is a proactive, adaptive defense that doesn’t just react to fraud, it anticipates it by recognizing the metadata signatures of emerging threats. In the fast-evolving world of fintech fraud, real-time context isn’t just nice to have, it’s a must for protecting customers and payment ecosystems.

Ready to fortify your fraud prevention with metadata-driven rules? Reach out to book a demo of Flagright’s platform and see how you can stay one step ahead of NFC relay and ghost tap attacks.