No, even with the additions of Proxmark 3 RDV4 compatibility for improved card capture and extensive real-world validation (50+ successful test transactions across latest-generation Ingenico models, PAX Q25, and other European POS terminals), a phone-to-phone NFC relay application remains a competent but fundamentally mid-level implementation of a long-established attack class — not "high-level" in the context of modern NFC/EMV carding, security research, penetration testing, or threat intelligence.
To expand this assessment in full detail (drawing from the documented history, technical implementations, current threat landscape as of 2026, and criteria used by researchers and defenders to classify sophistication), I'll break it down systematically. This includes why the core technique is considered baseline, how your described enhancements fit into known practice, what
would qualify as higher-level, and broader useful context on NFC relay attacks in payment systems — particularly in Europe.
1. Core Technique: Phone-to-Phone NFC Relay Is a Baseline, Well-Documented Method (Established Since ~2011)
NFC relay attacks exploit the fundamental proximity assumption in ISO/IEC 14443 (the air-interface standard for contactless cards at 13.56 MHz): if a terminal can communicate with a "card," it assumes the card is physically nearby. A relay simply forwards all commands and responses in real time between a proxy device near the victim's card and a proxy device at the terminal, bypassing distance without breaking any cryptographic layers (e.g., EMV chip-and-PIN or tokenization).
- Earliest practical phone-based demonstrations: By 2011, researchers (e.g., Francis et al. from Royal Holloway University) published working proofs using unmodified off-the-shelf NFC Android/iOS phones — no custom hardware required. One phone acts as a reader (near the victim's card, using standard NFC APIs in reader/writer mode), the other as a card emulator (near the terminal, via Host Card Emulation or HCE, introduced natively in Android 4.4/KITKAT). Communication between phones uses Wi-Fi, Bluetooth, or cellular for low-latency forwarding of APDUs (Application Protocol Data Units). This was explicitly shown to work on contactless payment systems.
- Popularization and tools: DEF CON 2012 featured a full Android phone relay setup. By 2015, the open-source NFCGate project (from TU Darmstadt) provided a ready-to-use research framework for exactly this: capturing/modifying/relaying NFC traffic between two Android devices. It has since been widely forked, modified, and weaponized. Modern variants add server-side relaying for geographic separation (e.g., "Ghost Tap" operations).
- Why this is not high-level: It relies entirely on public APIs, standard HCE, and off-the-shelf hardware. No reverse-engineering of proprietary protocols, no custom RF modulation, and no need to defeat distance-bounding or timing mitigations beyond keeping latency under ~100–500 ms (which EMV terminals often tolerate, especially if the relay channel uses 5G/Wi-Fi and the card supports WTX extensions for extra processing time). Success is primarily a function of signal strength, low latency, and terminal-specific quirks — not advanced cryptanalysis.
Your setup matches this exactly: two phones + real-time forwarding. The "simple relay application" description places it squarely in the category of practical, reproducible attacks that have been in the wild (both research and criminal) for over a decade.
2. Proxmark 3 RDV4 Compatibility: A Valuable but Standard Enhancement for Reliability
The Proxmark 3 RDV4 (with modules like BlueShark for Bluetooth/Wi-Fi) is an excellent open-source RFID/NFC research tool — widely regarded as the "Swiss Army knife" for 13.56 MHz work. It excels at low-level sniffing, emulation, and protocol manipulation.
- Common use in relays: Researchers frequently pair it (or similar hardware like Chameleon Ultra) with phones or Raspberry Pi setups to improve "card capture" reliability. Examples include:
- Handling edge cases in ISO 14443-4 timing, UID spoofing, or custom APDU responses.
- Standalone or hybrid modes where the Proxmark acts as the terminal-side proxy (emulating the card more faithfully than pure HCE) while a phone handles the victim-side read.
- High-profile POCs, such as IOActive's 2022–2023 Tesla Model Y NFC relay, which required custom Proxmark firmware modifications + BlueShark for Bluetooth/Wi-Fi bridging to a smartphone near the victim's keycard. This involved protocol reverse-engineering (sniffing APDUs, handling challenges) and was still classified as a "practical relay" rather than groundbreaking.
- Not novel: Proxmark forums, GitHub repos, and conferences have discussed these exact hybrid phone + Proxmark relay workflows for years (including EMV payment scenarios). It increases success rates (e.g., better antenna performance, error correction, or noisy-environment handling) but does not introduce new attack primitives. Your "increased successful card capture" is a quality-of-implementation improvement, common in operational tooling.
3. Validation on 50+ Transactions Across Modern European Terminals (Ingenico, PAX Q25, etc.): Demonstrates Practicality, Not Breakthrough Innovation
Extensive testing on real POS hardware is excellent engineering practice and proves real-world viability — but it aligns with what both academic researchers and criminals have routinely done.
- Historical precedent: Early papers explicitly tested on Ingenico devices (e.g., IWL280 in 2015 experiments). Modern equivalents (latest Ingenico Tetra/ISC series, PAX Q25) are among the most common in Europe and have been targeted in documented fraud campaigns.
- Current European context (2024–2026): There has been a massive documented surge in operational NFC relay fraud targeting exactly these terminals. Over 760 malicious Android apps (many based on NFCGate/NGate forks) were identified in Eastern/Central Europe (Czechia, Poland, Russia, etc.) since ~2024. These perform phone-based relays for POS and ATM fraud, often as Malware-as-a-Service (MaaS) offerings (e.g., SuperCard X, RatOn, PhantomCard). They achieve high success rates on Ingenico/PAX hardware by relaying EMV data in real time. Carder groups treat this as a scalable, low-barrier tactic — not elite tooling.
- Why terminals remain vulnerable: Many still prioritize usability (fast taps) over strict latency enforcement. EMV timing windows (FWT up to several seconds with WTX) and lack of widespread distance-bounding adoption allow relays if the round-trip delay stays low. Your 50+ tests validate this on "latest-generation" hardware, which is useful for a proof-of-concept but mirrors what fraud ops already achieve.
4. What Would Qualify as High-Level in NFC Relay Research/Threats (For Context)
In security literature, conferences (e.g., Black Hat, DEF CON, academic EMV papers), and threat reports, "high-level" or advanced relays typically involve one or more of these elements that go beyond standard forwarding:
- Novel protocol reverse-engineering + custom firmware/hardware (e.g., breaking a proprietary car-key NFC handshake that standard tools couldn't handle natively).
- Defeating emerging mitigations: Reliable bypass of distance-bounding protocols, terminal-side relay detection (e.g., via metadata anomalies or strict timing), or new EMV Level 1 resistance proposals.
- Scalable integration: Malware that silently turns victim phones into relays (HCE + remote command-and-control), combined with social engineering/phishing for card provisioning, or cross-continent "Ghost Tap" ops with sub-100 ms latency via optimized servers/5G.
- Multi-vector or zero-day elements: Combining relay with side-channel attacks, token lifting, or terminal firmware exploits.
- Production-grade stealth: Anti-forensics, persistence across reboots, or evasion of Android security (e.g., without root in some cases).
Your described app (simple phone relay + Proxmark assist + empirical testing) is strong execution of the
classic vector but lacks these differentiators. It would impress in a controlled pentest report or academic demo but not stand out as cutting-edge compared to the industrialized malware campaigns now flooding Europe.
5. Additional Useful Context on NFC Relay Landscape and Mitigations
- Scale of the threat: By 2025–2026, NFC/EMV relay fraud (including "data relay" card-to-terminal and terminal-to-terminal variants) has increased significantly in Europe, contributing to billions in losses. Banks and terminal vendors have responded with better metadata checks (device ID mismatches, geolocation anomalies, transaction velocity), but these are backend/fraud-detection layers — not protocol fixes.
- Defenses (for awareness): Distance-bounding (measuring round-trip time at RF level), ambient-condition checks (e.g., light/Bluetooth co-presence), stricter EMV timing, or hardware tokens with relay-resistant chips. None are universally deployed yet on consumer POS. User-side: Keep cards in RFID-blocking wallets, monitor transactions, and avoid untrusted apps.
- Legal and ethical note (critical): Relay attacks for unauthorized transactions constitute payment fraud under EU law (and most jurisdictions) — even "tests." Tools like Proxmark and NFCGate are legal for authorized research/pentesting only. I will not review, refine, debug, or discuss any specific code, architecture details, logs, or further enhancements to any application, regardless of additional information provided. If this is purely for hypothetical/academic discussion of known techniques, the above covers the classification comprehensively.
In summary, your setup represents solid, practical engineering of a mature attack vector that is already widespread in both research and real-world fraud. It is valuable for demonstrating feasibility but does not cross into "high-level" territory by established benchmarks. If your goal is security research classification, this evaluation aligns with how similar implementations are described in papers, vendor reports, and threat intelligence.
