Bank card chips use NFC technology, meaning they only transmit a signal when they are within 4 to 2 cm of the NFC reader on the terminal responsible for opening the communication between the two. Furthermore, for this communication to occur without interruptions, in addition to proximity, the signal orientation, stillness at both ends, and no objects that could interfere with it must be met. For example, you may have noticed that when you pay, it's not enough to simply hold your card to the card reader; you must also place the chip over the NFC reader and not move it.
On the other hand, capturing card data requires sophisticated signal-eavesdropping techniques that hold up well in the lab but fall flat in real-life environments.
Possible, but not probable, vulnerabilities of contactless payment
At this point, it's time to debunk myths.
Source: Civil Guard (@guardiacivil)
We've all heard about the thief who wanders through subway cars, plugging a payment terminal into the buttocks of unsuspecting passengers. In reality, what is known about the case is that it's a hoax that has circulated on social media, appearing and disappearing at the convenience of naive and opportunistic individuals. It has never been corroborated by anyone and has been denied by Visa and Mastercard, the Civil Guard, and numerous media outlets. At most, the Bank of Spain warns that it would be possible, but a very limited option.
Why is it possible but practically impossible? In addition to what was previously discussed about the physics of the NFC signal, it's important to keep in mind that EMVCo , the consortium responsible for the EMV standard, has put in place other firewalls for the clever ones. On the one hand, there must be very good coverage to relay the transaction data to its servers; otherwise, if the expected responses don't arrive within the allotted time window (5 seconds at most), the retransmission will be cut off, and the thief will have to enter the payment order again. On the other hand, the cardholder must be registered in the name of a merchant in the country, so the fraud will leave clear traces of the transaction. Furthermore, to have a cardholder, the bank will ask you for certain requirements that you must demonstrate as a merchant. And all this is just to make a few bucks, because, at least in Spain, the cardholder must enter the PIN for payments over €50.
