Attacks on in-car payment systems (car sharing, paid parking, gas stations)

[Good Carder]

From carder to carders. Do you think carding is just about hit CVV information on websites and skimming ATMs? In 2028, the real money is in the infrastructure you use every day without even thinking about it: in parking lots, gas stations, car sharing, and electric vehicle charging stations. Payment systems here are weaker, controls are poorer, and the flow of payments is enormous. No one checks who opened the barrier, whose card paid for gas, or who drove away in a rental car.

In this article, I'll tell you how to cheat in-car payment systems. You'll learn how to emulate a transponder signal to pass through any barrier for free, how to spoof NFC terminals at gas stations and charging stations, how to hack car sharing apps and ride at someone else's expense, and how to withdraw money through fuel and parking payment systems.

Part 1. Transponder signal emulation: free passage through barriers and gates​

Modern parking lots and toll roads are controlled by transponder recognition systems — small devices attached to the windshield. The transponder's signal can be intercepted, copied, and emulated. Then the barrier will rise for you, as if for a privileged few, debiting money from someone else's account.

The difference between RFID tags (125 kHz for intercoms) and UHF tags (860–960 MHz for barriers) is that RFID tags operate over a short range (up to 10 cm) and are easily emulated by a smartphone. UHF tags have a range of up to 10 meters, use more complex encryption, and require special devices.

1.1. The classic approach: intercepting the remote control signal​

The easiest way is to intercept the signal from the radio remote control that residents use to open the barrier.

What you need:

• Flipper Zero ($170) is a device that can read, copy, and emulate radio signals at frequencies of 300–928 MHz, as well as RFID tags and NFC cards. It supports emulation of RFID chips for access to intercoms and barriers at frequencies of 125 kHz.
• The CC1101 module for Arduino or Raspberry Pi is a low-cost alternative, but requires programming skills.

Algorithm:

1. Wait until the tenant opens the barrier with his remote control.
2. Set Flipper Zero to Sub-GHz mode → Read RAW. The device will intercept the signal and save it to memory.
3. Press Emulate. Bring Flipper Zero close to the barrier receiver — the gate will open.

Older systems use a fixed code (static code), which can be intercepted once and reused indefinitely. Modern systems (since 2020) use a dynamic code (rolling code), which changes with each keypress. These remotes are more difficult to emulate, but some models (for example, the CAME 24bit at 433.88 MHz) still have vulnerabilities.

1.2. Emulating RFID and UHF tags via Flipper Zero and a smartphone​

Many parking lots and gated communities use RFID tags that are tapped to a reader. These tags can be copied.

Flipper Zero handles this task easily: it can read data from intercom keys, office passes, and other RFID tags, save it, and emulate it for seamless access. RFID tags operate at a frequency of 125 kHz, and Flipper Zero supports their emulation. Emulation

of UHF tags (long-range identification) is more complex. Many modern long-range barriers use UHF RFID technology with a frequency of 860–960 MHz, encryption, and linking to the vehicle registration plate. However, knowing the tag's UID (serial number), you can order a duplicate from Chinese manufacturers for $5–10, which will work in any system that lacks cryptographic authentication.

RFID emulation via an Android smartphone:

• BAS-IP UKEY is the official app that turns your smartphone into a mobile identifier for BAS-IP access systems, supporting the opening of barriers, gates, and intercoms via Bluetooth or Wi-Fi.
• FlipperDroid is an open-source Android app that emulates Flipper Zero directly on your phone. It supports reading and emulating NFC, RFID (125 kHz), Bluetooth, as well as BadUSB and network tools.

Telegram bots for remote access: Closed Telegram channels sell bots for remotely opening barriers in large cities. You pay $20–50 for a "key," which operates via smart home system APIs or exploits vulnerabilities in the access control system's web interfaces.

1.3. Attack on system databases​

The most obvious and dangerous method is to gain direct access to the parking access control system database (e.g., ParkMobile, ParkWhiz, or local operators).

In 2025, over 1,800 critical and high-level vulnerabilities were discovered in transportation apps and systems. Many parking systems use SQLite databases with simple passwords that are easily brute-forced.

If you manage to obtain a UHF tag database dump containing the UID, you can mass-produce the cards and sell parking access in Telegram channels for $10–$30 each.

Part 2. Interception of payments through gas stations, charging stations, and NFC skimming​

Gas stations are a favorite target for carders. Contactless payments via NFC have become the primary payment method. Under new regulations, since May 2026, contactless cards and NFC-enabled smartphones have become the preferred payment method at most gas stations, simplifying the attackers' operations.

This creates new opportunities for carders, from installing skimmers to relay attacks. Since early 2026, researchers have identified new Android malware families, including DevilNFC and NFCMultiPay, actively conducting NFC relay attacks against European banking clients. Electric vehicle charging stations are even easier prey, as they are often located in secluded areas and have weak security.

2.1 NFC Relay: Ghost Tapped, DevilNFC, and NGate​

This is the most advanced and effective theft method. You turn the victim's phone into your personal contactless terminal.

How Ghost Tapped works:

1. The victim downloads a malicious application (disguised as a banking application or game).
2. The malware activates the phone's NFC chip in the background and listens for signals from cards placed on the phone. According to the CSIRT, the malware can surreptitiously activate NFC and initiate payment processes without the user's consent.
3. The carder uses the card data to make transactions through a controlled terminal, emptying the victim's account in seconds.

DevilNFC is another Android Trojan family discovered in 2026. It uses NFC relaying to commit remote payment fraud. In kiosk mode, the app locks the victim's phone screen, displaying a fake interface, and silently intercepts payment data for relaying to an accomplice standing at the terminal.

NGate is a modified version of the legitimate HandyPay NFC app. The malicious code allows carders to relay NFC signals from the victim's cards over any distance via the internet. One of the latest modifications of NGate is that part of the malware code is generated by AI.

NFC skimming: Installing a fake NFC reader over the legitimate one at a gas station terminal. As of 2026, carders are using drilled holes in contactless payment screens to damage the sensor and force drivers to use unsafe magnetic strips.

2.2. Hacking Electric Vehicle Charging Stations​

Charging stations are a vulnerable segment of the payment infrastructure. They are poorly protected and located in secluded areas.

Quishing (fake QR codes): Carders affix fake QR codes over real ones at charging stations. Drivers scan the code, are redirected to a phishing page, and enter their card details. This is how thousands of CVVs are collected daily.

Relay attack on the ISO 15118 Plug & Charge protocol: An exploit that allows users to charge their electric vehicle at someone else's expense. The attacker builds a fake charging station, connects it to the victim's car, and relays cryptographic authentication to the real station. The car owner pays, and the fraudster charges.

Zero-day vulnerabilities at Pwn2Own Automotive 2026: In January 2026, participants hacked numerous charging stations, including the Alpitronic HYC50, Autel MaxiCharger, Grizzl-E Smart 40A, and ChargePoint Home Flex. Over $1,047,000 was paid out for 76 vulnerabilities. In just two days, 37 vulnerabilities were found in Tesla vehicles and other charging stations.

Exploits: For example, vulnerability CVE-2026-9396 in the BS20 charging station allowed a carder to manipulate the display of payment information on the station's screen, replace the amount, or redirect the transaction to a fake account.

Part 3. Attacks on mobile carsharing apps: Riding at someone else's expense​

Car sharing is a gold mine for carders. You're not stealing card details; you're stealing an account, and with it, access to a car. Thousands of people leave their passport information, driver's license numbers, and bank card details in apps every day.

Most car sharing apps are unprepared to withstand malware, and scammers are already selling car sharing accounts.

3.1. Vulnerabilities of Car Sharing Apps​

Unprotected storage of sensitive data. Experts have identified over 400 vulnerabilities in 13 popular car-sharing apps, 25 of which are high-level. About a third of all analyzed transport apps store sensitive data, including passwords and payment information, in unencrypted form.

Insufficient protection against app overlays. This vulnerability allows malicious apps to display phishing windows over the legitimate car-sharing interface and steal user credentials.

Insecure API. Many services use the outdated OAuth 1.0 protocol with weak keys or open REST APIs without authentication. In 2026, AI-related API vulnerabilities were recorded to increase by 1025%, most of which are related to insecure authentication and incorrect configurations.

Danger:

• A hacker can intercept an API request, change the VIN of a rental car, and drive it for free.
• Access restricted areas via geolocation APIs.
• Steal all user data via vulnerability CVE-2026-24748, which allows an unauthorized carder to extract configuration data, including endpoints and cluster namespaces, for subsequent attacks.

3.2. Hacking a car's CAN bus through a headlight​

Modern cars have multiple access points for carders: CAN buses, OBD ports, Ethernet ports, NFC modules, Wi-Fi/Bluetooth chips, and LTE modems. An example is hacking the CAN bus through the headlight to access the engine starting system.

Here's how it works:

1. The carder gains physical access to the headlight of a car (rented through carsharing).
2. Connects to the CAN bus via the diagnostic connector in the headlight.
3. Injects malicious code that unlocks the doors and starts the engine remotely.

After such a break-in, the car can be stolen (or simply used for a free ride), the GPS tracker can be disabled, and the tracks can be covered. The rental company will only discover the loss after the car has been dismantled for parts.

3.3. Monetization schemes: from card theft to account sales​

• Stealing card data. Installing malware on a carsharing employee's phone, stealing the database, or attacking the API.
• Account sales. A verified car-sharing account (Yandex.Drive, Delimobil, BelkaCar) costs $20–50. For this price, a person receives a ready-made account with verified rights and a linked card, which can be used as long as the victim doesn't notice.
• Changing the payment account. Using the carsharing API, you can change the linked card to your own. Then, all trips for the new user will be paid for with the previous owner's card.
• Traveling abroad. Some Russian car-sharing services restrict travel outside the Moscow Ring Road. By hacking the geofencing system, you can disable this restriction and ride for free until the service detects an anomaly.

Part 4. OPSEC and the Attacker's Checklist​

Physical Security:

• Use a car (rented or your own). Attacking from a moving vehicle is the best camouflage. Turn on jammers, but be aware that they emit a powerful signal that can be detected.
• Equipment concealment. The Flipper Zero should be hidden in the armrest or under the dashboard. Use the hidden OBD port to connect to the CAN bus.
• Vary your vehicles. Don't use the same vehicle for attacks in the same area more than 2-3 times.

Digital Security:

• Always use a VPN/proxy. Register for car sharing through a proxy in the country where your account is registered.
• To work with the API, use the Tor → VPN → residential proxy chain.
• After the attack, delete all logs, clear the application cache, remove malicious profiles, and reinstall the system.

Summary​

Attacks on in-car payment systems are a new gold mine for carders. Flipper Zero is cheap and opens barriers, NFC Trojans relay signals from phones to ATMs, and car-sharing API vulnerabilities sell cars for next to nothing.

In 2026, technology has advanced: AI helps hack charging stations, and the millions in prize money at Pwn2Own confirm the seriousness of the threats. Remember the main rule: don't be greedy. One barrier, one gas station, one stolen car-sharing account. The fewer traces you leave, the longer you'll survive in this game.

A quick one-line reminder:
"Flipper Zero emulates any RFID tag, Ghost Tapped steals NFC payments from a phone, and a car-sharing API sells a car for half price. Charging station vulnerabilities break payment logic." DevilNFC, NGate, ISO 15118 relay — these are your weapons in 2028. And remember: while you're driving someone else's car, the owner pays for the gas."