You can, in fact, with the right equipment, talk to NFC chips from a distance. Easier with 125kHz than with 13.56MHz but still possible. See, e.g., https://www.youtube.com/watch?v=gP9f_TiKHIY
Security of NFC applications is complex, and generally a layered approach. Yes, physical distance is a mitigating factor. Using smart cards (rather than keyfobs) and encrypted communication mitigates the risk of skimming. Using sensible financial limits and good monitoring limits the impact of any issue that does occur.
In the end, security is not a black and white 'you need to be at a distance thus things are secure' story. It's about reducing the risk, which is a combination of reducing probability _and_ reducing impact.
Thanks for the info! I probably should have done some more research myself...what you said about security not being 'black and white' is something I forgot to pay more attention to while writing the blog post.
I've updated the blog post with an alert about this accordingly.
Security of NFC applications is complex, and generally a layered approach. Yes, physical distance is a mitigating factor. Using smart cards (rather than keyfobs) and encrypted communication mitigates the risk of skimming. Using sensible financial limits and good monitoring limits the impact of any issue that does occur.
In the end, security is not a black and white 'you need to be at a distance thus things are secure' story. It's about reducing the risk, which is a combination of reducing probability _and_ reducing impact.