Ghost-Tapping: The Emerging Digital Wallet Threat

As mobile payments adoption accelerates, so too does the ingenuity of fraudsters. A growing technique has been reported, known as ghost-tapping, where bad actors add stolen card credentials to digital wallets such as Apple Pay or Google Pay, enabling fraudulent in-store purchases and even cash withdrawals.

This evolution underscores a broader trend: cybercrime-as-a-service, where organized networks distribute phishing kits, burner devices, and malware tools to lower the barrier to entry for fraud. For financial institutions, merchants, and payment providers, the challenge is clear: traditional defenses are no longer enough.

The Mechanics of Ghost-Tapping

Ghost-tapping exploits a critical weakness in the card provisioning process. Once criminals obtain stolen card details, they intercept the one-time authentication codes needed to add those cards to mobile wallets. With this access, they can successfully activate stolen cards inside legitimate wallets, paving the way for later fraudulent transactions.

More concerning is the infrastructure behind the attacks. Syndicates now provide ready-to-use devices, software, and resale channels, creating a sophisticated fraud supply chain that is both scalable and difficult to trace.

The Challenge for Financial Services

Digital wallets are designed for speed and convenience, but this ease of use introduces vulnerabilities:

• Credential interception enables criminals to bypass initial verification.
• Device recycling means fraudulent devices are reused, spreading attacks.
• Anonymized resale markets allow fraudsters to monetize stolen goods quickly.

These risks highlight the need for strong, real-time security at the point of provisioning. If the provisioning step is compromised, every subsequent transaction is already at risk.

How ValidSoft Helps: Securing the Card Provisioning Process

Ghost-tapping takes root not at the checkout terminal, but at the moment of wallet activation, when stolen card credentials are added to Apple Pay, Google Pay, or other digital wallets using intercepted one-time passcodes (OTPs). If this step isn’t secured, every subsequent tap-and-go purchase is already compromised.

ValidSoft’s See-Say™ solution directly addresses this vulnerability with a multi-layered approach:

• Voice-Bound OTP Authentication
  Instead of relying on SMS or app-based codes that can be intercepted, See-Say™ requires the customer to speak the OTP in their own voice. This binds the authentication biometrically to the genuine cardholder, instantly neutralizing intercepted codes.
• Cryptographic Non-Repudiation & Data Immutability
  Each spoken OTP is cryptographically signed and immutably stored. This ensures every authentication attempt is both verifiable and auditable, providing institutions with a tamper-proof record that protects them against fraudulent disputes and supports compliance.
• Active Voice Verification
  Any credential becomes worthless unless spoken by the authentic user’s voice, ensuring only the rightful customer can complete the provisioning process.
• Synthetic Voice & Deepfake Detection
  As fraudsters increasingly turn to AI-generated voices, See-Say™ includes advanced detection to ensure that only genuine customers are verified, blocking attempts to bypass voice-based security.
• Omni-Reach Across Markets and Channels
  Fraud is a global phenomenon, and attacks like ghost-tapping are spreading rapidly across markets. ValidSoft’s technology works seamlessly across regions, jurisdictions, devices, and communication channels, ensuring customers are protected wherever they engage.

By hardening the provisioning step, See-Say™ prevents fraud long before the first fraudulent tap ever takes place. It closes the door to ghost-tapping at its source, keeping digital wallets safe without adding friction for legitimate users.

Building Trust in the Digital Payments Era

Ghost-tapping is just the latest example of how fast fraud evolves. To stay ahead, organizations need more than reactive defenses; they need proactive, adaptive authentication that secures wallet activation without degrading the user experience.

At ValidSoft, our mission is clear: to make digital interactions safer by delivering advanced, user-friendly security that keeps pace with today’s and tomorrow’s fraud threats.