NFC and card cloning: real risks and how to block contactless payments

Proximity technologies have made our lives more convenient, but they have also opened new doors for scammers; that's why it's important to understand their limitations and Implement safety measures before the damage actually occurs.

In this article you will find, without beating around the bush, how NFC/RFID works, what tricks criminals use at events and in crowded places, what threats have emerged in mobile phones and payment terminals, and above all, How to block or mitigate contactless payments when it suits youLet's get started with a complete guide on: NFC and card cloning: real risks and how to block contactless payments.

What is RFID and what does NFC add?

To put things in perspective: RFID is the foundation of it all. It's a system that uses radio frequency to identify tags or cards at short distances, and it can work in two ways. In its passive variant, the tag has no battery and It is activated by the reader's energy.It is typical for transport passes, identification, or product labeling. In its active version, the tag incorporates a battery and reaches greater distances, which is common in logistics, security, and automotive.

To put it simply, NFC is an evolution designed for everyday use with mobile phones and cards: it allows bidirectional communication, is optimized for very short distances, and has become the standard for fast payments, access, and data exchange. Its greatest strength is immediacy.: you bring it close and that's it, without inserting the card into the slot.

When you pay with a contactless card, the NFC/RFID chip transmits the necessary information to the merchant's payment terminal. However, if you pay with your mobile phone or watch, you're in a different league: the device acts as an intermediary and adds layers of security (biometrics, PIN, tokenization), which It reduces the exposure of the card's actual data..

Contactless cards versus payments with devices

• Contactless physical cards: Simply bring them close to the terminal; for small amounts, a PIN may not be required, depending on the limits set by the bank or country.
• Payments with mobile phone or watch: They use digital wallets (Apple Pay, Google Wallet, Samsung Pay) that usually require fingerprint, face or PIN, and replace the real number with a one-time-use token. which prevents the merchant from seeing your authentic card.

The fact that both methods share the same NFC foundation does not mean they pose the same risks. The difference lies in the medium (plastic versus device) and in the additional barriers added by the smartphone. especially authentication and tokenization.

Where and how do contactless frauds occur?

Criminals exploit the fact that NFC reading occurs at very short range. In crowded places—public transport, concerts, sporting events, fairs—a portable reader can approach pockets or bags without raising suspicion and capture information. This method, known as skimming, allows for the duplication of data, which is then used for purchases or cloning. although they often need additional steps to make the fraud effective.

Another vector is the manipulation of terminals. A modified payment terminal with a malicious NFC reader can store data without you noticing, and if combined with hidden cameras or simple visual observation, attackers can obtain key information such as digits and expiration dates. It's rare in reputable shops, but the risk increases at makeshift stalls..

Nor should we forget identity theft: with enough data, criminals can use it for online purchases or transactions that don't require a second factor. Some entities provide better protection than others—using strong encryption and tokenization—but, as experts warn, When the chip transmits, the data necessary for the transaction is present..

In parallel, attacks have emerged that don't aim to read your card on the street, but rather to remotely link it to the criminal's own mobile wallet. This is where large-scale phishing, fake websites, and the obsession with obtaining one-time passwords (OTPs) come into play. which are the key to authorizing operations.

Cloning, online shopping, and why it sometimes works

Sometimes, the captured data includes the full serial number and expiration date. That may be enough for online purchases if the merchant or bank doesn't require further verification. In the physical world, things are more complicated due to EMV chips and anti-fraud controls, but some attackers They try their luck with transactions at permissive terminals or with small amounts.

From bait to payment: linking stolen cards to mobile wallets

A growing tactic involves setting up networks of fraudulent websites (fines, shipping, invoices, fake stores) that request "verification" or a token payment. The victim enters their card details and, sometimes, an OTP (One-Time Payment). In reality, nothing is charged at that moment: the data is sent to the attacker, who then attempts to... link that card to your Apple Pay or Google Wallet as soon as possible.

To speed things up, some groups generate a digital image that replicates the card with the victim's data, "photograph" it from the wallet, and complete the linking if the bank only requires the number, expiration date, holder, CVV, and OTP. Everything can happen in a single session..

Interestingly, they don't always spend immediately. They accumulate dozens of linked cards on a phone and resell it on the dark web. Weeks later, a buyer will use that device to pay in physical stores via contactless or to collect payment for nonexistent products in their own store within a legitimate platform. In many cases, no PIN or OTP is requested at the POS terminal..

There are countries where you can even withdraw cash from NFC-enabled ATMs using your mobile phone, adding another monetization method. Meanwhile, the victim may not even remember the failed payment attempt on that website and won't notice any "strange" charges until it's too late. because the first fraudulent use occurs much later.

Ghost Tap: the transmission that fools the card reader

Another technique discussed in security forums is NFC relay, nicknamed Ghost Tap. It relies on two mobile phones and legitimate test applications like NFCGate: one holds the wallet with stolen cards; the other, connected to the internet, acts as the "hand" in the store. The signal from the first phone is relayed in real time, and the mule brings the second phone close to the card reader. that does not easily distinguish between an original and a retransmitted signal.

The trick allows several mules to pay almost simultaneously with the same card, and if the police check the mule's phone, they only see a legitimate app without any card numbers. The sensitive data is on the other device, perhaps in another country. This scheme complicates attribution and accelerates money laundering..

Mobile malware and the NGate case: when your phone steals for you

Security researchers have documented campaigns in Latin America—such as the NGate scam in Brazil—where a fake Android banking app prompts users to activate NFC and "bring their card close" to the phone. The malware intercepts the communication and sends the data to the attacker, who then emulates the card to make payments or withdrawals. All it takes is for the user to trust the wrong app..

The risk is not exclusive to one country. In markets like Mexico and the rest of the region, where the use of proximity payments is growing and many users install apps from dubious links, the ground is fertile. Although banks are strengthening their controls, Malicious actors iterate quickly and exploit any oversight..

How these scams operate step by step

1. A trap warning arrives: a message or email that "requires" you to update the bank's app via a link.
2. You install a cloned app: It looks real, but it's malicious and requests NFC permissions.
3. It asks you to bring the card close: or activate NFC during an operation, and capture the data there.
4. The attacker is emulating your card: and makes payments or withdrawals, which you will discover later.

Furthermore, another twist emerged at the end of 2024: fraudulent apps that ask users to hold their card near their phone and enter their PIN "to verify it." The app then transmits the information to the criminal, who makes purchases or withdrawals at NFC ATMs. When banks detected geolocation anomalies, a new variant appeared in 2025: They convince the victim to deposit their money into a supposedly secure account. From an ATM, while the attacker, via relay, presents their own card; the deposit ends up in the hands of the fraudster and the anti-fraud system sees it as a legitimate transaction.

Added risks: card payment terminals, cameras, and identity theft

The tampered terminals not only capture what they need via NFC, but they can also store transaction logs and supplement them with images from hidden cameras. If they obtain the serial number and expiration date, certain unscrupulous online retailers could accept purchases without a second verification factor. The strength of the bank and the business makes all the difference.

In parallel, scenarios have been described where someone discreetly photographs a card or records it with their mobile phone as you take it out of your wallet. While it may sound basic, these visual leaks, combined with other data, can lead to identity fraud, unauthorized service sign-ups, or purchases. Social engineering completes the technical work.

How to protect yourself: practical measures that actually work

• Set contactless payment limits: It lowers the maximum amounts so that, if there is misuse, the impact is less.
• Activate biometrics or PIN on your mobile phone or watch: This way, no one can pay from your device without your authorization.
• Use tokenized wallets: They replace the actual number with a token, avoiding exposing your card to the merchant.
• Deactivate contactless payment if you don't use it: Many entities allow you to temporarily disable that function on the card.
• Turn off your phone's NFC when you don't need it: It reduces the attack surface against malicious apps or unwanted reads.
• Protect your device: Lock it with a strong password, secure pattern, or biometrics, and don't leave it unlocked on any counter.
• Keep everything updated: system, apps and firmware; many updates fix bugs that exploit these attacks.
• Activate transaction alerts: Push and SMS to detect movements in real time and react instantly.
• Check your statements regularly: dedicate a weekly moment to checking charges and locating suspicious small amounts.
• Always verify the amount on the POS terminal: Look at the screen before bringing the card close and keep the receipt.
• Define maximum amounts without PIN: This forces additional authentication on purchases of a certain amount.
• Use RFID/NFC blocking sleeves or cards: They are not infallible, but they increase the attacker's effort.
• Prefer virtual cards for online purchases: Top up your balance just before paying and disable offline payments if your bank offers it.
• Renew your virtual card frequently: Changing it at least once a year reduces exposure if it leaks.
• Link a different card to your wallet than the one you use online: separates risks between physical and online payments.
• Avoid using NFC-enabled phones at ATMs: For withdrawals or deposits, please use the physical card.
• Install a reputable security suite: Look for payment protection and phishing blocking features on mobile and PC.
• Download apps only from official stores: and confirm the developer; be wary of links via SMS or messaging.
• In crowded spaces: Keep your cards in an inside pocket or wallet with protection and avoid exposing them.
• For businesses: IT asks IT to review corporate mobiles, apply device management, and block unknown installations.

Recommendations from organizations and best practices

• Check the amount before paying: Do not bring the card close until you have verified the amount on the terminal.
• Keep receipts: They help you compare charges and file claims with evidence if there are discrepancies.
• Activate notifications from the banking app: They are your first warning sign of an unrecognized charge.
• Check your statements regularly: Early detection reduces damage and speeds up the bank's response.

If you suspect your card has been cloned or your account has been linked

The first thing is to block the cloned credit card From the app or by calling the bank, request a new number. Ask the issuer to unlink any associated mobile wallets you don't recognize and to activate enhanced monitoring. in addition to changing passwords and checking your devices.

On your mobile device, uninstall apps you don't remember installing, run a scan with your security solution, and if signs of infection persist, restore to factory settings after making a backup. Avoid reinstalling from unofficial sources.

File a report if necessary and gather evidence (messages, screenshots, receipts). The sooner you report it, the sooner your bank can initiate refunds and block payments. Speed ​​is key to stopping the domino effect.

The downside of contactless convenience is that attackers also operate in close proximity. Understanding how they work—from crowd skimming to linking cards to mobile wallets, Ghost Tap relaying, or malware that intercepts NFC—allows for informed decisions: tightening restrictions, requiring strong authentication, using tokenization, turning off features when not in use, monitoring movements, and improving digital hygiene. With a few solid barriers in place, It is perfectly possible to enjoy contactless payments while minimizing risk.