[gruez]

This attack doesn't work because as soon as you're discovered by a few victims, the payment processor is going to roll back all your transactions. Not to mention the massive paper trail you leave behind when you are applying for a merchant account.

[0xfeba]

They could still sell the unused card info.

[gergles]

Not over the contactless interface, part of the data is different every time the card is tapped. It becomes worthless to 'clone' contactless cards because of that.