[tehaugmenter]

What is scary though is how easily the rfid can be read off of a person. It's a great thing to have but card issuers should include some kind of protective sleeve with every card rather than relying on the consumer to be both aware of and able to use an rfid blocking wallet.

[kibibyte]

Old payment card RFID contactless was really insecure; it basically spat out the data on the magnetic stripe. New contactless is directly tied to the EMV chips and requires the whole cryptographic round trip and such. You can put a protective sleeve around your cards if you want, but it doesn't really add much in real security anymore.

[mcv]

If payment can be authorized through the chip by mere proximity, without any explicit authorization by the owner, then it's still insecure. Of course the thief would need to have an official payment terminal, but those are everywhere.

I use my app, not my card, for this reason.

[kibibyte]

Technically yes you are correct, but the threat model here is similar to someone grabbing a card from you and dipping it into a terminal chip reader without your permission. This is what the PIN part of chip-and-PIN protects against; the chip part (also applicable to EMV contactless) protects against card duplication and transaction replay.

There is a huge difference between this kind of attack and what an attacker can do with the old scheme of magnetic swipe data over RFID. With the former, the only thing an attacker can do is perform a real transaction in that moment; this transaction leaves behind an audit trail tied to a real merchant (the operator of the terminal) and their bank account. An attacker cannot, however, initiate additional payments without accessing the payment card again, and without access to the cryptographic secrets held by the payment service provider, they cannot extract the card number to use for online transactions.

With the latter, it's equivalent to skimming a the magnetic stripe: an attacker can clone the card and reuse it for transactions as often as they'd like for whatever amounts they can authorize. In addition, they will have access to the plaintext card number, which would allow them to use it for online transactions. And absolutely none of this leaves behind an audit trail of how the attacker got your card.

[blep-arsh]

They would also need a bank account. I'm not sure whether it's possible to receive card payments anonymously.

[trasz]

The card issuers offer (due to being forced to by law) much better protection: they cancel transactions made this way.

[mcv]

I disabled mine on the card, and exclusive useless NFC payment from my banking app. That still requires my explicit authorization and is therefore a lot more secure. I started doing this during Covid when we weren't allowed to touch anything anymore, and I'm not going back.