[gambiting]

Actually, it's impossible to skim anyone with a regular reader. Because NFC cards are active, they need to receive a decryption key from the terminal first, before they broadcast their own data. Commercial readers are not able to read bank cards, they mostly show the card's type,and that's it, every memory bank is marked as private and cannot be read without the authorization key. So a skimmer would need to use an actual payment terminal obtained from a bank, and only such terminal would be able to read and charge money from contactless cards. But to get such a terminal,you would need to register with a bank and would be super easy to trace down.

[makomk]

That's interesting. Apparently that certainly wasn't the case previously: http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers...

http://www.v3.co.uk/v3-uk/news/2163404/researchers-punch-hol...

[gambiting]

Yes, absolutely. Read the article though - she read an RFID card, which yes, can be read by anyone,using any reader available on the marker. This is NOT how new contactless cards are implemented - new ones use NFC for active transmission, which requires a valid authorization key to release their details. With RFID she could've read anything she wanted from these cards.

[TeMPOraL]

So how shops do it? What is the thing that makes it possible for a shop to charge you for grocery while making it impossible for someone to skim you on the bus with a shop terminal?

(serious question)

[gambiting]

Shops have proper authorized terminals, that have authentication keys. The terminal sends the key to the card, then the chip on the card replies with its own details. You cannot read bank cards with commercial NFC readers that you can just buy.

If you manage to get a proper shop terminal(which are only given to proper registered businesses) then yes, you could theoretically skim peoples' cards in a bus or any other public place. The only problem with that is, that you can only charge at most 15 quid, and you cannot get the card details back, so you can't use it for internet payments. And because the bank has your details they can very very quickly track the payments back to you and stop you from stealing money(and not even pay out any money to your account). So yes, the trouble is completely not worth it, which is why probably no one will do that.