[christop]

That sounds very odd; I compiled the app mentioned here and it took more like 200ms to read the info from my UK contactless VISA card.

But this whole attack isn't anything new — this was pretty widely reported back in 2012 in the UK, e.g. http://www.channel4.com/news/millions-of-barclays-card-users...

I wrote essentially the same proof of concept app two years ago after seeing that report pretty much just by reading the specs. From reading the paper mentioned on GitHub, the only real difference to what I wrote is that I didn't check for the CVC3 information (which I think is generally not included, or doesn't correspond to the actual security code on the back of the card).

But in any case, just the card number and expiry number are enough — as mentioned in the Channel 4 report — to make purchases from a lot of places.

[blincoln]

If CVC3 is anything like CVV and CVV2, it's probably intentionally different than what's on the back of the card. Mag-stripe VISA cards have a three-digit code embedded in the stripe (this is the CVV), and a different three-digit code on the back of the card (the CVV2). Different brands of cards use the same model, but they don't always call them CVV/CVV2, and the number of digits may be different. The numbers are different so that use of the card is a magnetic reader can be differentiated from someone typing it in.