EBay sells RFID readers for £10 or less. Anyone armed with one and the knowledge (which isn’t hard to collect) of how to go about it can read the data on the contactless card in someone else’s pocket. Someone else they don’t know and never saw before in their lives. That doesn’t sound like a good idea, does it?
Without even seeing the card, the hacker can take from it the card number, the expiry date and the CVV number. Then, using a card-magnetising tool that also doesn’t cost very much, the hacker can create a new card with the stolen data on it.
All of this is possible because it is RFID that makes contactless cards possible.
Defenders of contactless cards say that they have an extra layer of security: in addition to the normal CVV number, the cards are designed to produce a single one-off CVV number each time the card is scanned. The codes can only be used for that one transaction and must be used in the order in which they are generated. The Smart Card Alliance says that this makes contactless cards extremely safe, which is a strange description for something that can be stolen, but only used once. Those who would like to see contactless cards banned say: “So what? Someone standing in a crowded area can lift the details from a hundred different cards in the time it takes to order a skinny latte. So instead of one person being robbed a hundred times, a hundred people are each robbed once.”
It is possible to disable the RFID chip using a microwave oven, but that calls for care; three seconds in the microwave will kill the chip but five may melt the card. A better solution is to keep in the purse or wallet alongside the credit cards a device that blocks RFID readers by reflecting back the reader’s signal. One such device also emits a high-pitched whine to let the card owner know there’s a thief in the neighbourhood.
Better still: don’t have RFID chips in cards in the first place.