Good Carder
Professional
- Messages
- 938
- Reaction score
- 533
- Points
- 93
In 2026, the battle between payment card protection and attack has reached a new level. Outdated skimming methods, which relied on magnetic stripe scanning, are gradually becoming a thing of the past. More sophisticated technologies are emerging — relay attacks on contactless payments, EMV protocol degradation, and the use of Trojans to steal digital tokens. This article maps a new reality, where a phone app can be more dangerous than an ATM skimmer, and access to an app's one-time code is more valuable than the card itself.
"EMV contactless payment technology, which is built into all modern Visa, Mastercard, American Express, and Discover cards, is built on two-way cryptographic authentication. Each transaction generates a unique cryptographic token, rather than simply transmitting the card number. Passive RFID skimming against modern contactless cards is virtually impossible. Statistically documented losses from this type of attack are indistinguishable from zero."
The problem is no longer passive reading, but active long-range retransmission of the card signal (NFC relay) and digital attacks on cards.
Magnetic stripe data (tracks 1 and 2) is still present on cards and is their Achilles' heel. Skimmers designed to steal this data are thriving. The skimming device market continues to grow and is projected to reach $5.3 billion by 2030. The primary threat is the hacking of devices where the card is physically inserted into a slot (ATMs, gas stations), as well as the ability to clone a compromised card onto a blank piece of plastic.
Statistics show an unprecedented surge in such attacks. In the first four months of 2026, Kaspersky blocked over 35,600 attacks using NFC malware — almost three times more than in the same period last year.
The basic attack scheme is:
One analysis also identified a vulnerability where malware fakes a successful payment, but queues it and debits the funds later when you're not using your phone.
The threat of tokenization (Apple Pay, Google Pay). Carders 3.0 no longer clone cards, but tokenize them — that is, they obtain a unique token from the issuer, which allows them to add the stolen card to a digital wallet on their phone through phishing campaigns.
EMV-bypass cloning technology is developing on this basis. Carders steal data from the EMV chip via a shimmer (which reads the "track equivalent" of the data) and transfer it to the magnetic stripe of a counterfeit (more primitive) card. This clone will work if the terminal supports magnetic fallback.
A paper by the researchers, presented at WOOT '13, describes a hypothetical scenario for a combined "Pre-play and Downgrade Attack," which allows for the creation of a functional clone of an EMV card with pre-generated authorization codes.
The new threat lurks in iOS apps masquerading as banking tools, exploiting Apple's Live Activity feature to display fake login windows. The malware also includes overlays for banking apps and SMS interception.
Price: For $300, you can buy a ready-made ATM skimming kit, including a card reader overlay, a PIN overlay for storing passwords, and a Bluetooth module for remote data downloading.
Physical barrier. RFID-blocking wallets are now useless against EMV hacking. The threat comes from other vectors, such as installing malicious apps. The rise of malware and phishing threats means that a wallet won't protect you if you install a Trojan on your phone yourself.
Technological innovation. Financial institutions and phone manufacturers are implementing suspicious activity monitoring that analyzes user behavior and processor-level encryption (Secure Enclave), which prevents key compromise even when iOS is jailbroken.
Analysts have rightly observed: "A hacker today is more likely to steal money by sending you a fake SMS from a 'bank security service' asking you to install a new security app than by using an expensive RFID reader in a crowded place."
A quick one-liner:
RFID blocking is for the paranoid of the past. 2026 is the year of smartphone malware, tokenization, and NFC-based theft.
Part 1: Debunking Myths About Magnetic Stripes and Contactless Payments
The common man's biggest fear is classic RFID skimming, when someone with a handheld reader steals card data through a pocket or bag. By 2026, this myth will be debunked."EMV contactless payment technology, which is built into all modern Visa, Mastercard, American Express, and Discover cards, is built on two-way cryptographic authentication. Each transaction generates a unique cryptographic token, rather than simply transmitting the card number. Passive RFID skimming against modern contactless cards is virtually impossible. Statistically documented losses from this type of attack are indistinguishable from zero."
The problem is no longer passive reading, but active long-range retransmission of the card signal (NFC relay) and digital attacks on cards.
Magnetic stripe data (tracks 1 and 2) is still present on cards and is their Achilles' heel. Skimmers designed to steal this data are thriving. The skimming device market continues to grow and is projected to reach $5.3 billion by 2030. The primary threat is the hacking of devices where the card is physically inserted into a slot (ATMs, gas stations), as well as the ability to clone a compromised card onto a blank piece of plastic.
Part 2. NFC Relay Attacks: A New Threat Graph
The most dangerous attack vector against contactless cards is a relay attack. It involves a carder creating a "digital bridge" by amplifying and retransmitting the signal between the victim's card and the payment terminal. To achieve this, malware, such as NGate or CraxsRAT, is installed on the smartphones of the victim and accomplice, rerouting the NFC signal.Statistics show an unprecedented surge in such attacks. In the first four months of 2026, Kaspersky blocked over 35,600 attacks using NFC malware — almost three times more than in the same period last year.
The basic attack scheme is:
- Malware installation. Using phishing SMS messages or fake websites, victims are lured into installing an app (for example, fake banking software or a "lottery"), which actually contains a malicious NFC component. In 2026, carders went further, hacking and patching legitimate NFC apps from app stores, injecting them with AI-generated malware.
- Data collection. The malware activates NFC interception and begins collecting card data.
- Relay. This data is transmitted to the drop device. Researchers revealed that the attacks use a modified version of the open-source tool NFCGate, which intercepts, relays, and even replays terminal commands and card responses.
- Fake payment. The mule holds their smartphone to the terminal, mimicking a card, and commits the theft. The entire transaction occurs in real time: while the victim sits quietly at home, their card token is used for payment. Importantly, this malware can operate without root access, making it susceptible to mass infection.
One analysis also identified a vulnerability where malware fakes a successful payment, but queues it and debits the funds later when you're not using your phone.
The threat of tokenization (Apple Pay, Google Pay). Carders 3.0 no longer clone cards, but tokenize them — that is, they obtain a unique token from the issuer, which allows them to add the stolen card to a digital wallet on their phone through phishing campaigns.
Part 3. Card Cloning: New Variations on an Old Theme
Modern cloning relies on data theft using shimmers — thin devices that are inserted deep into a card slot to read the chip.- Skimmers (classic) hunt for the magnetic strip.
- Shimmers are paper, no thicker than a credit card, inserted into the device and read the EMV chip data during a transaction.
EMV-bypass cloning technology is developing on this basis. Carders steal data from the EMV chip via a shimmer (which reads the "track equivalent" of the data) and transfer it to the magnetic stripe of a counterfeit (more primitive) card. This clone will work if the terminal supports magnetic fallback.
A paper by the researchers, presented at WOOT '13, describes a hypothetical scenario for a combined "Pre-play and Downgrade Attack," which allows for the creation of a functional clone of an EMV card with pre-generated authorization codes.
Part 4. The Underestimated Threat: Malware and PIN Theft
In 2026, a carder's ability to withdraw cash from an ATM after stealing card data became a reality thanks to software that now steals not only data but also PINs.The new threat lurks in iOS apps masquerading as banking tools, exploiting Apple's Live Activity feature to display fake login windows. The malware also includes overlays for banking apps and SMS interception.
Part 5: The Underground Market for Skimmers and Tracks (2026)
Identifying illegal equipment is easy if you know where to look. Sellers on darknet forums are embracing the "Carding-as-a-Service" concept and selling physical skimming devices all in one place. They also sell ready-made tracks and "dump data" (tracks 1 and 2) for cloning, as well as verification services.Price: For $300, you can buy a ready-made ATM skimming kit, including a card reader overlay, a PIN overlay for storing passwords, and a Bluetooth module for remote data downloading.
Part 6. Protection: What's changed and what to do
Old security methods are obsolete. New ones are just emerging. The security ecosystem of 2026 is a complex of physical, digital, and behavioral barriers.Physical barrier. RFID-blocking wallets are now useless against EMV hacking. The threat comes from other vectors, such as installing malicious apps. The rise of malware and phishing threats means that a wallet won't protect you if you install a Trojan on your phone yourself.
Technological innovation. Financial institutions and phone manufacturers are implementing suspicious activity monitoring that analyzes user behavior and processor-level encryption (Secure Enclave), which prevents key compromise even when iOS is jailbroken.
Analysts have rightly observed: "A hacker today is more likely to steal money by sending you a fake SMS from a 'bank security service' asking you to install a new security app than by using an expensive RFID reader in a crowded place."
Resume and checklist
In the era of 3DS and contactless payments, skimming is not a dying industry, but a mutating one.- NFC relay attacks via NGate and CraxsRAT are the leading surgical theft vector in 2026, targeting smartphones.
- Card cloning is no longer tied to the magnetic stripe. Shimmers are moving ever closer to the chip, and "EMV-Bypass Cloning" allows the chip data to be transferred to a standard magnetic stripe card.
- The sale of skimmers and tracking data has become a darknet service available to anyone with crypto.
A quick one-liner:
RFID blocking is for the paranoid of the past. 2026 is the year of smartphone malware, tokenization, and NFC-based theft.
