The Auckland City (Police) Criminal Investigations Bureau says a Chinese national was caught using "ghost tapping" to buy luxury goods in Newmarket earlier this month, with the police arresting her after she aroused suspicions at high-end retailers there.
“A woman had tried unsuccessfully using multiple phones to make a pay wave purchase in excess of $6000. Police were called after the woman then left the shop and attempted to enter another high-end retailer, detective senior sergeant Craig Bolton said.
What's ghost tapping then? It is a technique employed by scammers to cash out their ill-gotten gains, after they've phished payment card details from victims, or used malware for it.
With those crucial details at hand, and loaded onto "burner" or disposable phones, or into their own digital wallets like Apple Pay or Google Pay, it's time to go shopping. This is similar to how the "Darcula" text scammers operate, to get hold of the money stored on the payments card that they've managed to add to their digital wallets.
First, you ask accomplices to join a "motorcade" or as money mules to do the shopping for you. They are sent to buy luxury items using Paywave, or Near Field Communications (NFC) tap-to-pay - hence the name, ghost tapping.
Ghost tapping is somewhat convoluted to employ, and this is what was the young woman's downfall. But essentially the payments information captured via NFC is relayed from one smartphone to another in real time. See the below illustration of how ghost tapping works, from security vendor Threat Fabric which described the cashing-out technique in November last year.
The criminals behind the scheme don't have to be anywhere near the mule buying things, and can be in different countries. It's important not to be so far away that the payment transaction times out because it takes too long, but that's it.
Victims' cards are "digitally tapped" in shops without the physical card or even the rightful owner present—hence the "ghost" in ghost tapping.
Cyber crims operating in Southeast Asia employ ghost tapping, as well as China and Cambodia. The technique works with ATMs that use NFC tapping as well.
Once bought by the mules, high-value goods are resold for profit and laundered via Telegram-based platforms like Xinbi Guarantee and Tudou Guarantee, American security vendor Recorded Future wrote in its recent report on ghost tapping.
Singapore has seen many cases of ghost tapping, with the police force receiving 656 reports between October and December last year alone. Losses recorded were at least S$1.2 million the Singapore Police Force said.
Ghost tapping is done at scale as well. Singaporean Chinese language news paper Lianhe Zaobao reported in May that two men were arrested at the Woodlands immigration checkpoint carrying 15 iPhones on them in April this year.
For consumers, it's hard to spot this scam until after the money is gone. Security experts urge banks to tighten wallet addition security with app-based authorisations and hiding one time passwords in SMS, and for the public to remain vigilant for suspicious charges.
Also, once a card has been compromised or if you suspect its been added to a digital wallet without permission, block it immediately and review all recent wallet activity.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.