NFC Relay Attack
An attack that extends the range of a near-field communication transaction by relaying signals between a victim's contactless card and a payment terminal, enabling fraudulent transactions.
Also known as: NFC relay fraud, contactless relay attack, RFID relay
Last reviewed: 1 June 2026
Near-field communication (NFC) is designed for very short-range communication — typically a few centimetres — used in contactless payments, access cards, and transit tickets. An NFC relay attack defeats this range limitation by using two devices working in tandem: one device positioned close to the victim's wallet or card (the 'reader' end), and another near a payment terminal the attacker wants to transact at (the 'emulator' end). The two devices communicate via the internet or Bluetooth, effectively relaying the NFC signals across arbitrary distances.
In a payment relay scenario, the attacker's emulator presents itself to a checkout terminal as if it were the victim's card, while the reader silently harvests the NFC signal from the victim standing nearby in a queue or on public transport. The attack is particularly concerning because contactless payments under a threshold do not require a PIN, making them easier to relay.
Mitigations include using RFID-blocking wallets or card sleeves, enabling transaction notifications on bank accounts, and relying on device-based mobile payments (which include cryptographic tokens tied to the specific device) rather than physical cards for contactless transactions.
Examples
- An attacker in a busy market uses one device near a victim's jacket pocket while an accomplice at a shop terminal completes a contactless purchase, with the NFC signals relayed between them.