Evolution of Carding Methods in the Age of Contactless Payments and NFC Technologies: An Educational Review (2025)

[Student]

This overview is intended for educational purposes and focuses on the evolution of carding (the illegal use of stolen payment card data) methods in the context of the transition to NFC (Near Field Communication)-based contactless payments. We will examine the historical background, technological advances, specific fraud methods, countermeasures, and future trends. The information is based on reports from reputable sources such as ESET, ThreatFabric, Krebs on Security, Juniper Research, and Resecurity, with a focus on the 2024–2025 period. The goal is to raise awareness of the risks to promote better protection, not to encourage illegal activity. Remember: carding is a crime punishable by law worldwide.

1. Historical Context: From Traditional Carding to the NFC Era​

• Classic carding (pre-2020s): Early methods relied on physical access to cards. Key techniques included:
  • Skimming: Installing counterfeit readers on ATMs or POS terminals to copy the magnetic stripe and PIN.
  • Phishing and dumping: Stealing data through fake websites or database leaks, then using it for online purchases.
  • Scale: In 2019, global damage from carding exceeded $30 billion (according to the Nilson Report), but the attacks were slow and localized.
• The Transition to Contactless Payments: Since 2020, accelerated by the COVID-19 pandemic, NFC has become dominant. Contactless cards and mobile wallets (Apple Pay, Google Pay) allow transactions in seconds without entering a PIN for amounts up to $100–$250 (depending on the region). By 2024:
  • Global contactless payments volume: $6.25 trillion (up 25% from 2023, according to Statista).
  • Penetration: 80% of transactions in Europe, 65% in the US, 50% in Asia (Visa Data). This convenience has created new vulnerabilities: NFC operates at a distance of 4 cm, allowing signals to be intercepted without physical contact.
• Why did this evolution accelerate in 2024–2025? The rise of NFC-enabled smartphones (4.2 billion devices in 2024, according to IDC) and integration with biometrics (Face ID, fingerprints) have made payments seamless. However, fraudsters have adapted: traditional skimming has given way to real-time attacks, where data is stolen and used instantly. According to ESET, NFC attacks will increase 35-fold in 2024–2025, with a focus on relay circuits and mobile wallets.

2. NFC technological foundations and their vulnerabilities​

NFC is an ISO/IEC 14443 standard for short-range communications (13.56 MHz). For payments, it implements the EMV standard (Europay, Mastercard, Visa) with chips that provide:

• Tokenization: The actual card number is replaced with a temporary token, valid for only one transaction.
• Dynamic CVV: Changes for each session, reducing risks.
• Biometrics: Confirmation via device (not transmitted to server).

Vulnerabilities:

• Range: The signal can be intercepted using antennas (up to 10–20 cm with amplifiers).
• No PIN for small amounts: Up to 5–10 taps without verification (in the EU – up to €50).
• Mobile wallets: Data stored in HCE (Host Card Emulation) on the device is vulnerable to malware. In 2024–2025, these vulnerabilities were exploited through a combination of hardware (cheap readers for $20–50) and software (malware like NGate).

3. The Evolution of Carding Methods: A Detailed Analysis​

Methods have evolved from static data theft to dynamic, real-time attacks. In 2024, simple relays dominated; in 2025, AI-integrated schemes with global scale will dominate. Damage: $21.69 billion in 2024 (Juniper), projected at $30.55 billion by 2029.

Method	Technical description	Evolution in 2024–2025	Examples and statistics	Difficulty level
NFC Relay Attacks	Two devices (A and B) form a "relay": A intercepts the victim's signal (card/smartphone) and relays it to B's terminal. It uses SDR (Software-Defined Radio) for a latency of <100 ms.	2024: Basic apps (Flipper Zero + proxy). 2025: AI for latency and geolocation correction; 5G integration for a range of up to 100 m. Growth: +35x (ESET).	SuperCard X (April 2025, Italy): Android malware steals/retransmits PoS, causing €500,000 in damage. In Russia: ATM attacks in Moscow (Resecurity, February 2025).	Medium (requires a couple of devices, ~$100).
Ghost Tap	"Ghost" addition: Stolen data (tokens) are loaded into a mule's mobile wallet, then used for a chain of small transactions (cash-out via gift cards).	Late 2024: Emergence as a response to tokenization. 2025: Activation delay (1–4 weeks) to bypass AI; mule networks (up to 200 devices). Bypasses tap limits.	Chinese groups (ThreatFabric, February 2025): Phishing in the EU, adding to Google Pay for purchases in the US ($1M+). Krebs: Selling "booted" iPhones on the dark web.	High (requires software for HCE emulation, coordination).
Skimming and Emulation	EMV chip capture via counterfeit readers; emulation in apps (HCE Bridge simulates the chip).	2024: Focus on wearables (Apple Watch). 2025: Deepfake videos for disputes with banks; malware disguises itself as "NFC managers."	NGate (2024, Czech Republic): ATM cloning, 1000+ incidents. SuperCard X: Emulation on remote servers for global PoS.	Low-medium (ready-made kits on GitHub, but risk of detection).
Phishing + Wallet Hijacking	Social engineering: Fake apps/sites steal credentials and add the card to your wallet for later use.	2025: Integration with non-VBV BINs (banks without 3D Secure); AI-based generation of phishing texts. Delays lower flags.	Krebs (February 2025): Chinese phishers sell access for $50 per card. 40% growth in Asia (CSIS).	Low (mass, via Telegram bots).

• Who's behind the attacks? Organized groups predominate: Chinese (Lazarus-like, focusing on global cash-outs) and Russian (for local ATMs). In 2025: The rise of MaaS (Malware-as-a-Service) — relays are sold for $200/month on forums like Exploit.in.
• Scale: In H1 2025 - 1.2 million incidents (Visa), with a peak in retail (50% of attacks).

4. Countermeasures: Technologies and Practices​

Banks and issuers (Visa, Mastercard) have invested $15 billion in security by 2024. Key innovations:

• Tokenization and dynamic codes: 90% of transactions are tokenized (EMVCo, 2025); CVV changes every 30 sec.
• AI and machine learning: Metadata analysis (geolocation, device, patterns). Visa's Visa Secure: Blocks 85% of relays due to delays.
• Biometrics and multifactor: Integration with wearables; in the EU, mandatory for >€50 (PSD3, 2025).
• Hardware solutions: RFID/NFC blockers (foil or cases, 95% efficiency).
• Regulatory changes: In the US, the CFPB rules on real-time monitoring (2025); in the EU, the DORA for bank resilience.

Practical recommendations for users:

1. Enable transaction notifications and monitor geolocation.
2. Use virtual cards (single-use numbers) in Apple/Google Pay.
3. Avoid public Wi-Fi for payments; keep your OS/apps updated.
4. For business: Implement EMV 3-D Secure v2.2 (reduces fraud by 70%).

5. Future trends and forecasts​

• By 2026: 80% of cards will be contactless (Juniper); fraud will increase by 106%, but AI will reduce losses by 40%.
• New challenges: Attacks on open banking (Apple opens NFC in 2025) and blockchain wallets; growth in wearables (Ring Pay).
• Positive developments: Transition to quantum-resistant encryption (NIST, 2025) and global standards (ISO 20022).
• General trend: Balancing convenience and security – NFC will boost the economy ($10 trillion by 2030), but will require continuous training and investment.

This analysis highlights how technology creates both opportunities and risks. For a more in-depth study, I recommend ESET's "NFC Fraud Trends 2025" report and the Krebs on Security archives. If you have any questions about specific aspects, please ask!