NFC mobile payments vulnerable to data theft – 1
Mobile payment threats are significantly increasing, with contactless NFC (Near Field Communication) payments via smartphones becoming a prime target. Security experts warn that if a user’s phone is infected with malware, personal banking information can be stolen remotely without physical contact with the card.
A recent campaign, dubbed SuperCard X, leverages a new Android malware strain to exploit NFC vulnerabilities. This malware often spreads via deceptive SMS or WhatsApp messages, often posing as urgent notifications or warnings, prompting users to call spoofed customer support numbers. Criminals then trick users into installing malicious apps, falsely claiming the need to “verify bank cards.”
Once the malicious app is installed, the victim is prompted to place their bank card near the phone for verification. This action secretly triggers NFC activation, enabling the malware to discreetly read and steal card data. This stolen data is instantly transmitted to a remote device controlled by the attacker. This technique, known as an NFC relay attack, allows criminals to make contactless transactions or withdraw money from ATMs using the victim’s card details as if they possessed it themselves.
This method poses a significant risk, as it can work with various bank cards and bypass traditional fraud detection systems. Furthermore, antivirus software often struggles to detect SuperCard X because the malware requires minimal Android permissions, primarily needing only NFC functionality. This allows the malware to operate stealthily and evade suspicion. Researchers warn that this attack technique is increasingly being adopted by other malware types.
To protect yourself from such threats, cybersecurity experts advise:
Never install apps from untrusted sources: Avoid apps downloaded from suspicious links in SMS, WhatsApp messages, emails, or other unreliable sources. Only download apps from official app stores like Google Play Store and thoroughly research the developer.
Verify communications: Exercise caution and verify the authenticity of messages, emails, or calls requesting personal or financial information, or requiring any security-related action.
Contact banks directly: If you suspect any suspicious activity, contact your bank or related institutions through their official channels. Be extremely cautious if any app prompts you to bring your credit card near your phone, particularly if it’s not a legitimate banking or payment app you trust.
