I don't use tap to pay so I decided to do away with that attack vector entirely. If you shine a flashlight through your card you can see where the antenna traces go. One hole punch later and I don't have to worry about it at all. These stories about cards being read from several feet away sound like bullshit. I am more concerned that if I leave my card somewhere it could be picked up and used for several small purchases before hitting the tap to pay limit. We just now got to move past signature based transactions to chip and pin, so why they would immediately add a feature that bypasses the pin is beyond me.
>The store's "tap-to-pay" system charged not only one, but three credit cards tucked in a wallet inside her purse.
>
>"I haven't taken them out of my purse yet. What are you talking about?" said Cesari. "I'd say I was two feet away at that point, for sure."
Not in a million years. Long-distance NFC requires a large, tuned antenna — and with collisions due to multiple cards being in the field, forget about it.
The way this story is written, and the quotes they’ve pulled from people, makes it sound like tap to pay is this magical radio-wave daemon creeping around stealing your money.
Technically you can do a transaction by holding a mobile EMV payment terminal to someone's card without them knowing (this only works for physical cards, mobile phones need to be unlocked first).
The protection is the fact you just can't get a mobile payment terminal without a whole "know your customer" due diligence process, so the fraud traces directly to the ultimate beneficial owner of the company to which the payment acceptance contract of the payment terminal was provided.
This is the reason this fraud is non-existent in Europe, where tap to pay is already used for years.
