[MBCook]

EMV doesn’t transmit the full card number in the clear. I don’t know how they’d get it. IIRC the track data is sanitized, but maybe it wasn’t always. I’m not even sure all cards give it in a modern EMV transaction.

The old mag stripe emulation mode of contactless did, but that’s legacy and many places won’t accept it and cards won’t do it.

However the good old “break the slot or chip reader so they have to use mag stripe and scan the card things the old fashioned way” technique still works great.

[js2]

Googling "EMV sniffer" returns a bunch of sketchy sites that claim they get the card number from the chip, not the mag stripe. That's also what seems to be implied by the submitted link. Here's another post claiming the card # is readable from the chip:

https://security.stackexchange.com/questions/161493/what-inf...

[jackson1442]

I believe it’s at least stored on the EMV chip: if you tap a credit card to a flipper zero you’re able to read the full card number and expiration date, and contactless is just over-the-air EMV as I understand it.

[MBCook]

Oh yeah, it must be in there. If you were to etch down to the chip with acid I’m sure you could see it.

Contactless has two forms. The old one is mag-stripe emulation. It would literally just respond with the information from the mag-stripes. It was exactly as secure as mag-stripe. Probably worse because you didn’t need to physically move the card over a read head.

That’s no longer supported in many (most?) modern cards. I know ApplePay refuses to do it. I think card brands have said to stop using it but I’m not positive.

The other mode (absolutely dominant in contactless) works through encrypted EMV tags the same as you get when using a physical slot. The order of things is a little different but it’s just as secure.