Stealing money without ever swiping a card has become a new reality, driven by a scam known as “ghost tapping” or “ghost charges.”
This modern form of theft uses wireless technology to secretly capture personal information from credit and debit cards, and even key fobs, without physical contact.
Flipper Zero is a multi-tool device at the center of this issue.
Tracey Birkenhauer, co-owner and principal impact officer at STACK Cybersecurity, based in Livonia, explained that Flipper devices are basically remote controls.
It can open garage doors, control televisions and lights, and even be used for penetration testing to check system security.
The device costs between $150 and $200. However, it can also be used for nefarious purposes.
“This goes beyond card-skimming,” said Rob Moore, director of service and delivery at STACK Cybersecurity. “This could be just a simple tap of a card, and it will steal all the card information, and now that individual has my card.”
The Flipper Zero uses a development board that can detect wireless frequencies, including the 2.4 GHz band, enabling it to scan networks and capture data.
Xzavier Spalsbury, a cybersecurity expert, demonstrated how the device can scan nearby wireless networks, connect to internal networks, and run scripts to capture wireless protocols used for network authentication.
The device can also read RFID and NFC cards, which are commonly used in credit cards and access badges.
“It’s not just about cybersecurity in your networks, in your online systems. It’s also about physical security,” Birkenhauer said. “A lot of companies do not think about physical security, and they absolutely must.”
Proximity is key for ghost tapping. The device must be close enough—usually within a few millimeters—to read the card information.
“If we’re in crowded spaces, we need to be extremely careful because that’s one of the main ways people might do something like bump into you,” said Nakia Mills from the Better Business Bureau.
The Better Business Bureau recommends avoiding tap payments when possible, using RFID-blocking wallets or sleeves, and regularly monitoring bank and credit card statements for suspicious activity.
“People just need to be really careful. This seems to be a newer way with this modern age,” Mills said.
With the holiday season approaching and more people in crowded spaces, experts warn that ghost tapping could become more widespread.
The BBB has not yet received reports from Michigan, but cautions that many victims may not realize they have been targeted.
Flipper Zero claims its device is intended for educational purposes, security testing, and development.
In a statement to Loal 4, the company wrote in part: “While the Flipper Zero can read NFC and RFID cards, it cannot decode the card’s encrypted security code used on credit and debit cards, so they can’t be cloned.”
Still, many Detroit residents expressed concern about the threat.
“That is insane. I can’t even think that this is actually happening, but I’m not too surprised,” Takiyah Vincent said.
At STACK Cybersecurity, Moore demonstrated the device on a work badge and house keys, showing that while some items may be protected, others are vulnerable.
He noted that RFID-blocking wallets can provide protection by creating a barrier that prevents the device from reading card data.
Birkenhauer urged leadership and organizations to take physical and cybersecurity seriously, especially as attacks become more sophisticated.
“We don’t sell STACK Cybersecurity, we sell the concept of cybersecurity,” Birkenhauer said. “This is a homeland security issue. Everyone needs to be concerned about it.”