Listen to this Post
Introduction:
Contactless payment cards and NFC-enabled devices have revolutionized transactions but introduced a silent threat: unauthorized skimming and relay attacks. As highlighted by security professionals in a recent industry discussion, even a locked phone can be vulnerable under specific conditions (e.g., Apple Pay + Visa combinations), while physical card modifications like antenna drilling expose deep frustration with bank-issued NFC. This article dissects real-world attack vectors—from off-the-shelf SoftPOS abuse to HCE-based relay exploits—and delivers actionable countermeasures across hardware, software, and policy layers.
Learning Objectives:
– Execute and defend against NFC relay attacks using Proxmark3 and Android Host Card Emulation (HCE)
– Implement hardware-level disabling techniques and validate RFID-blocking wallets with open-source tools
– Configure payment tokenization, biometric enforcement, and transaction limits across iOS, Android, and Windows ecosystems
You Should Know:
1. Physical NFC Disabling: The Antenna Drill Method (For Educational Awareness Only)
Some users drill a micro-hole through the card’s antenna coil to permanently kill NFC without affecting magnetic stripe or chip. This voids warranties and risks damaging the card entirely. To verify NFC functionality before/after on Linux:
Install libnfc and tools sudo apt install libnfc-bin libnfc-dev List detected NFC devices (e.g., ACR122U) nfc-list Read a contactless card (hold near reader) nfc-poll
If `nfc-poll` returns card UID and SAK, NFC is active. After drilling (targeting the thin wire loop around the card perimeter), re-run `nfc-poll`—a timeout or “no target found” confirms success. Windows alternative: Use `NFC Tools` GUI or PowerShell with Windows.Devices.SmartCards API.
2. Relay Attack Simulation: Proxmark3 + Android HCE
Attackers capture your card’s data at a distance (e.g., via hidden reader) and relay it to a malicious POS. Off-the-shelf tools make this feasible.
Step‑by‑step (Linux):
– Install Proxmark3 dependencies: `sudo apt install build-essential libreadline5 libusb-0.1-4`
– Clone and build: `git clone https://github.com/RfidResearchGroup/proxmark3.git; cd proxmark3; make clean; make all`
– Connect Proxmark3, run client: `./pm3`
– Read a card: `hf mf autopwn` (for Mifare Classic) or `hf 14a read` (ISO14443A)
– Set up Android HCE app (e.g., “NFC Relay”) to forward captured UID+data to a second device near a terminal
– Use relay to initiate payment; if successful, your card is vulnerable.
Mitigation: Enable transaction limits (< $30 without PIN/CVM), use mobile wallets with online authentication, or store cards in verified Faraday wallets (test using step 5). 3. Mobile Payment Hardening: Locked Phone ≠ Always Safe Nikita Bohuslavskyi noted that locked phones generally disable NFC, but Václav Dvořák pointed out a bypass video for Apple+Visa. Here’s how to lock down mobile payments:
iOS (iPhone):
– Settings → Wallet & Apple Pay → Disable “Double-Click Side Button” (requires Face ID/Touch ID for each payment)
– Enable “Express Transit” only if you never carry high-value cards (disable for credit/debit)
Android (Google Pay):
– Settings → Connected devices → NFC → Require device unlock for NFC
– Disable “Tap & pay” when screen off or locked
Windows (rare for payments, but for PC-connected NFC readers):
– Open PowerShell as Admin: `Get-PnpDevice | Where-Object {$_.FriendlyName -like “NFC”} | Disable-PnpDevice -Confirm:$false`
– To re-enable: `Enable-PnpDevice -InstanceId
Always use biometrics + strong PIN, and never root/jailbreak devices handling payment tokens.
4. Detecting Skimming Attempts with Wireshark + FPC Sniffer
Advanced defenders can capture NFC traffic using an FPGA-based sniffer (e.g., FPC-Adapter for Proxmark3). For near-field analysis:
Capture USB traffic from NFC reader
sudo tcpdump -i usbmon0 -w nfc_skimming.pcap
Or use nfc-sniffer (custom Python)
pip install nfcpy
python -c "import nfc; clf = nfc.ContactlessFrontend('usb'); while True: tag = clf.connect(rdwr={'on-connect': lambda tag: print(tag)})"
In Wireshark, apply filter `usb.bulk` and look for repeated READ BINARY commands or unexpected APDUs (e.g., `FF CA 00 00 00` – Get UID). If you see hundreds of attempts in seconds, a skimmer is present.
5. DIY Faraday Cage Testing: Validate Your RFID-Blocking Wallet
Tomas Vojtek admitted he never tested his RFID-blocking wallet. Here’s a simple verification using a smartphone (with NFC enabled) and a standard payment card:
Step‑by‑step:
– Enable NFC on your phone and open a card reader app (e.g., “NFC Tools” on Android)
– Hold your card directly against the phone back – you should see card details (last 4 digits, sometimes PAN)
– Place the card inside the wallet/purse, close it, then try reading again through the closed wallet
– If no data appears, the blocker works. If data appears, the wallet is ineffective – upgrade to verified brands (e.g., Ridge, Bellroy) or use a DIY aluminum foil wrap (3+ layers).
For enterprise audits, use a Proxmark3 with high gain antenna to test shielding effectiveness at various distances (0–10 cm).
6. Incident Response: Steps After Suspected Skimming
If you see an unauthorized contactless transaction (even a small test charge):
– Immediately call your bank’s fraud line – reference “NFC relay attack” and demand a chargeback under scheme rules (Visa/Mastercard zero-liability)
– Request a replacement card with no NFC (many EU banks still issue upon request, though Czech banks reportedly resist)
– Extract forensic data from your phone’s NFC log (Android: `adb logcat -s NFCService`; iOS: no direct log, but check Wallet transaction history)
– File a police report including the transaction timestamp, amount, and merchant ID (available from bank)
– If you have a personal Proxmark3, capture the ambient RF environment at the suspected skimming location: `./pm3 auto` and save logs.
What Undercode Say:
– Physical blockers are a placebo without testing – many users carry “RFID-blocking” wallets that fail real-world verification; DIY testing using a phone is quick and essential.
– Mobile payments offer better security if properly configured – locked phones with biometrics and per-transaction authorization defeat nearly all relay attacks, except for certain Apple+Visa bypasses (now patched but revealing systemic design flaws).
– Radical physical modification (drilling antennas) signals a market failure – banks refusing to issue non-1FC cards push users toward destructive workarounds, highlighting the need for regulatory mandates on user choice.
– Relay attacks are not theoretical – Andrej Turcan demonstrated off-the-shelf relay tools using HCE, and Sebastian Huskins noted you can buy a Sumup POS on the open web (no darkweb required) to capture NFC data, though scheme rules enable chargebacks.
Prediction:
+1 Increased adoption of tokenized mobile wallets (Apple Pay, Google Pay) will shift attack targets from physical cards to phone NFC stacks, driving demand for runtime biometrics and AI-based anomaly detection.
+1 Regulators (especially under NIS2/DORA) will mandate “NFC kill switches” in banking apps, allowing users to disable contactless per card without hardware modification.
-1 Relay attacks will evolve into fully automated, AI-powered bots that scan public transport gates and retail queues, then execute high-value transactions seconds later using software-defined radios (SDRs) – outracing traditional fraud detection.
-1 Consumer complacency will grow as “zero liability” policies encourage risky behavior, leading to a surge in small-amount, high-volume skimming that bypasses bank alerts (e.g., €10–20 transactions).
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Andrej Seben](https://www.linkedin.com/posts/andrej-seben_pou%C5%BE%C3%ADvate-niekto-rfidnfc-blokuj%C3%BAcu-pe%C5%88a%C5%BEenku-ugcPost-7467688662894338048-Y_Wf/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
