[kweks]

The Flipper can read the PAN (card digits + expiry) that are exposed by cards that have "tap to pay".

This is an unencrypted interface supplied by the cards, which means it is readable by any NFC-enabled device (including any android device...)

This interface is different from the EMV (payment) interface, which is encrypted. The Flipper cannot clone EMV cards.

The problem here is that cards transmit their card info to anyone who asks, not that Flipper is a malicious device.

[Casteil]

It's mind boggling how they just decided to throw basically any semblance of security completely out the window by putting NFC on credit cards for convenience.

[xur17]

I thought tap to pay used a one time code? Or are you saying tap to pay uses the PAN + a one time code?

[kweks]

There are two different interfaces. One exposes the number + name + expiry over unencrypted ISO 14443 interface. Readable by any compatible reader (IE, every NFC enabled téléphone - https://www.apkmonk.com/app/com.github.devnied.emvnfccard/)

The EMV / payment interface is a different interface and fully encrypted.

[xur17]

And all cards support both??

[stametseater]

I used to think my RF shielded wallet is a silly gimmick, but now I'm not so sure.

[kayge]

Not a gimmick, but also not perfect. Probably better than nothing :) Good quick explanation by Deviant Ollam at around 7:30 in this video: https://www.youtube.com/watch?v=Qt2Gn2CoJ74