Time Table

While theoretical NFC relay attacks have been discussed for years, real-world attacks remain rare – especially successful ones. Dive with us into NGate, the first publicly known, in-the-wild, Android malware that used an NFC relay attack to facilitate remote ATM withdrawals, and successfully stole thousands from victims in Czechia early in 2024 – with a little help from social engineering and phishing. These attacks started in Czechia in November 2023. Initially, the attackers took advantage of progressive web apps (PWAs), which are essentially websites that function like mobile apps. They then advanced their tactics by using a more complex form of PWAs called WebAPKs. This progression led to the final step of their attack: distribution of the NGate malware. To spice things up, we’ll delve into NFCGate, the legitimate, open-source, NFC research toolkit that the NGate malware is based on, and explain two additional attack scenarios that can be achieved using the same tooling. During our presentation, we will demonstrate NFC attacks against contactless payments, and NFC token cloning. We will show how attackers can use a smartphone to scan contactless cards in public places, enabling them to make payments simultaneously at a remote terminal. Additionally, we will demonstrate how an attacker can clone the UID of MIFARE Classic 1k NFC contactless smartcards to gain access to restricted areas.