If I’d told the banks, when I first saw their ads for contactless cards last year, that not having any authentication whatsoever (like a PIN) was a bad idea then I’d be saying “told you so” now.
Initially I thought that the ad with the chap on a waterslide waving his card at the till was a bit of artistic license but no, you don’t have to type a number or anything, which made me think if I only have to swipe past the reader what’s to stop someone swiping a reader past my card?
And of course that has now been found to be possible, especially since the advent of NFC equiped mobiles that unscrupulous types can simply load an app onto. As an aside this also provides more evidence for Apple’s defence of its walled garden approach to app purchasing as such apps could only be loaded onto so-called jailbroken phones (either Apple or Android).
Either way it’s an issue that many besides myself saw coming and it’s surprising that the card companies didn’t even seem to consider it to be a problem and still don’t, stating that the information retrieved can’t be used (at least online or in a customer-not-present transaction) without the CV2 code, this doesn’t answer the question of whether this information can be put on a blank card and usedthat way, as a contactless card.
There are, however, patents in process for systems that prevent this kind of theft, like one that is simply a touch switch that only enables the NFC chip when you have the card in your hand which is a much better solution than the only current protection which is to slip your card into a shielded sheath.
Remember to practice safe card use people.