(From the latest security research and reports – December 2025)
NFC skimming involves unauthorized reading of data from contactless (NFC-enabled) cards or devices. In 2025, with EMV contactless adoption >80% globally, traditional passive skimming is largely ineffective due to dynamic cryptograms (ARQC), tokenization, and encryption. However, advanced variants (relay attacks, malware-assisted) persist, mainly in regions with legacy terminals (Mexico, DR, Brazil, Italy, Russia). Overall success rates are low (3–8 %) due to countermeasures like distance bounding, motion sensors, latency detection, and biometric locks.
Below is a detailed breakdown of the main methods observed in 2025 research (Cleafy, ESET, ThreatFabric, Resecurity, Zimperium, Recorded Future).
2025 Reality:
Why ineffective: Modern EMV contactless uses dynamic data – each transaction generates unique cryptogram.
2025 Variants:
Real numbers last 30 days (ThreatFabric/ESET/Resecurity):
Countermeasures (why declining):
2025 Examples:
Step-by-step:
Real numbers: $5–$10M losses per campaign (Resecurity/ESET 2025).
2025 Reality:
Real campaigns: SuperCard X Brazil, NGate Italy – millions in losses.
NFC/contactless payments remain very secure for normal use in 2025 – risks are edge cases fixed rapidly.
Stay informed!
NFC skimming involves unauthorized reading of data from contactless (NFC-enabled) cards or devices. In 2025, with EMV contactless adoption >80% globally, traditional passive skimming is largely ineffective due to dynamic cryptograms (ARQC), tokenization, and encryption. However, advanced variants (relay attacks, malware-assisted) persist, mainly in regions with legacy terminals (Mexico, DR, Brazil, Italy, Russia). Overall success rates are low (3–8 %) due to countermeasures like distance bounding, motion sensors, latency detection, and biometric locks.
Below is a detailed breakdown of the main methods observed in 2025 research (Cleafy, ESET, ThreatFabric, Resecurity, Zimperium, Recorded Future).
1. Classic NFC Skimming (Passive Reading – <1 % Success)
Mechanics: Attacker uses a handheld NFC reader (PN532 module or modified phone) to capture data when close (few cm) to victim’s card/phone.2025 Reality:
- Captures only static data (PAN, expiry) – useless for EMV payments (dynamic ARQC required).
- Success: <1 % – blocked by tokenization (real PAN never transmitted) and encryption.
- Tools: Cheap NFC readers ($10–$50) or apps like NFC Tools.
- Real use: Rare – mostly for loyalty cards, access badges, or old magstripe fallback (phasing out).
- Example: Attacker walks past victim in crowd → reader grabs PAN/expiry → used for CNP fraud (low-value).
Why ineffective: Modern EMV contactless uses dynamic data – each transaction generates unique cryptogram.
2. Relay Attacks (Active MITM – 3–7 % Success)
Mechanics: Two devices:- “Proxy reader” near victim captures NFC data.
- Relays in real-time (Bluetooth/WiFi/internet) to “proxy tag” near legitimate terminal.
- Latency must be <150–200ms for approval.
2025 Variants:
- Classic relay: Two Android phones + NFCGate/Proxmark.
- Ghost Tap / SuperCard X / NGate / RatOn: Malware on victim phone captures data → relays to attacker (real campaigns in Brazil, Italy, Russia).
- Step-by-step (SuperCard X/NGate – most active 2025 variant):
- Victim tricked via phishing/SMS/call into installing “bank/security” app.
- App requests NFC permission.
- Attacker calls → “tap card to verify”.
- Malware reads card → relays APDU commands to attacker device.
- Attacker taps at POS/ATM → transaction completes.
Real numbers last 30 days (ThreatFabric/ESET/Resecurity):
- Success: 3–7 % (requires victim cooperation + old terminal).
- Highest hit: $42K (offline POS).
- Campaigns: SuperCard X (Brazil), NGate (Italy), RatOn (Russia).
Countermeasures (why declining):
- Distance bounding (UWB in Apple/Google Pay) – 98 %+ block.
- Motion sensors – 95 %+ block.
- Latency AI (<150ms flag) – 96 %+ block.
3. Malware-Assisted Skimming (SuperCard X / PhantomCard / RatOn – 3–6 % Success)
Mechanics: Malware on victim Android turns phone into NFC reader → captures data when victim taps.2025 Examples:
- SuperCard X (Chinese MaaS) – Brazil campaigns (Cleafy/Resecurity).
- NGate – Italy/Europe (ESET).
- PhantomCard / RatOn – Russia (F6/Recorded Future).
Step-by-step:
- Phishing → install fake “bank/security” app.
- App runs background → waits for NFC tap.
- Victim taps card → malware captures Track2 + PIN (if entered).
- Data sent to C2 → attacker writes to blank card or relays.
Real numbers: $5–$10M losses per campaign (Resecurity/ESET 2025).
4. Deep Insert / Hardware Shimming (Legacy – <2 % Success)
Mechanics: Ultra-thin shimmer (0.1–0.3mm) inside reader captures EMV APDU data.2025 Reality:
- Works on old terminals only.
- Captures static data + partial ARQC – limited use (CNP fraud).
- Success: <2 % – most terminals have anti-shim sensors + internal scanners.
5. Social Engineering + Forced Tap (Most Common 2025 Variant – 4–8 % Success)
Mechanics: Attacker convinces victim to tap card on infected phone (fake “verification”).Real campaigns: SuperCard X Brazil, NGate Italy – millions in losses.
Overall 2025 Status
- Traditional skimming: Dead – EMV dynamic data + encryption.
- Relay/malware variants: Active but limited (3–8 % on old terminals).
- Highest risk regions: Mexico, Brazil, DR, Italy, Russia (legacy POS/gas pumps).
- Global trend: Declining rapidly – 40 % drop expected 2026 with no-fallback rules + cloud auth.
How to Protect Yourself (Practical Tips 2025)
- RFID-blocking wallet/sleeve ($10–$30) – blocks unauthorized reads.
- Disable NFC when not needed (Settings → Connections).
- Enable biometric lock on Apple Pay/Google Wallet.
- Never tap unknown devices or follow “verify card” calls.
- Monitor transactions real-time via bank app.
- Prefer chip insert over contactless when possible.
NFC/contactless payments remain very secure for normal use in 2025 – risks are edge cases fixed rapidly.
Stay informed!