[kuzmin]

Your RFID card is very easy to attack. Recently I heard of an attack where a guy was sneakily putting a RFID card reader against people's pockets on the subway. With this he was able to charge each card $20 without them even having to authorize the transaction. (above $20 usually requires some auth)

Phones authorize the transaction differently and are this still safe to use for tap & pay.

[germanier]

The problem with that kind of attack is that it's easily traceable and easy to spot. That guy needed a merchant account to carry it out. To get that someone had to show their identity to the processor. Also, once it's discovered you can easily find out who else was affected.

It also takes some time to get that money out of the merchant account. I've yet to hear someone actually doing that in practice because it only sounds if you don't think too long about it.

[bryanlarsen]

Got any sources? That's a very common urban myth, there have even been some pictures that have gone viral on Twitter. As far as I can tell, every such story that's been actually tracked to the source has fallen apart.

[gruez]

This attack doesn't work because as soon as you're discovered by a few victims, the payment processor is going to roll back all your transactions. Not to mention the massive paper trail you leave behind when you are applying for a merchant account.

[0xfeba]

They could still sell the unused card info.

[gergles]

Not over the contactless interface, part of the data is different every time the card is tapped. It becomes worthless to 'clone' contactless cards because of that.

[wvenable]

Credit card companies use their huge database of merchants and your own transaction history to authorize tap transactions. If anything is too out of the norm for you, the tap won't go through.

Furthermore, nobody is going to pay out on these fraudulent transactions once they're discovered. It's not as if the money is instantly transferred.