Contactless Card Fraud: Facts, Myths, and What the Research Says
Is contactless card payment really risky? We separate fact from fear and explain exactly what's possible, what isn't, and how to use tap-to-pay safely.
Last Updated: February 2026
Key Takeaways:
- Real-world contactless card fraud is rare relative to other payment fraud types
- What can theoretically be intercepted is limited and not sufficient for most fraud without additional data
- Per-transaction limits significantly cap the exposure from any single contactless transaction
- Tokenised digital wallets (Apple Pay, Google Pay) are more secure than physical contactless cards
- Your biggest risk is still physical card loss or theft — not wireless interception
The Fear: What People Worry About
Contactless payments — tap-to-pay cards and phone wallets — have generated persistent consumer anxiety. The concern typically sounds something like this:
"Someone could walk past me with a hidden card reader and steal my contactless card data without touching me."
It is worth examining how much of this is a genuine, practical risk and how much is understandable concern about technology that feels invisible and hard to control.
How Contactless Payments Work
When you tap a contactless card or phone, a near-field communication (NFC) chip in the card communicates with the payment terminal.
What is transmitted:
- A tokenised representation of your card details (not your full card number, in most modern implementations)
- A one-time transaction cryptogram — a code unique to that transaction that cannot be reused
- The transaction amount
What is NOT transmitted:
- Your physical card number (in most contactless implementations, a different number is used)
- Your PIN
- Your billing address
Because the transaction cryptogram is unique and one-time, even if a criminal intercepted the NFC communication, they would receive data that:
- May not include your real card number
- Includes a code that cannot be replayed for another transaction
The Theoretical Attack: NFC Relay and RFID Skimming
RFID/NFC Interception
In controlled laboratory conditions, researchers have demonstrated that it is possible to bring an NFC-capable device within a few centimetres of a contactless card and read limited data from it.
What can typically be read:
- The card number and expiry date (the same data printed on the front of the card)
- On some older implementations: truncated transaction history
What this enables:
- Limited card-not-present (online) fraud — if the card number and expiry are used without additional verification. However, most online merchants also require CVV, billing address, or 3D Secure authentication, which are not accessible via NFC interception.
In practice: This attack has very limited financial utility compared to the effort involved in approaching victims closely with concealed equipment.
NFC Relay Attacks
A relay attack uses two devices: one close to your card, one close to a payment terminal at a different location. In theory, the transaction is "relayed" from your card to the terminal without your knowledge.
These have been demonstrated in academic research — but documented instances of real-world financial losses from contactless relay attacks are extremely rare. The practical challenges of executing this at scale, combined with low per-transaction limits, make it commercially unattractive for criminals compared to other fraud methods.
The Reality: What Contactless Fraud Actually Looks Like
Card fraud statistics from financial regulators and card schemes consistently show that:
- Lost and stolen card fraud accounts for the majority of contactless fraud — physical theft of the card, not wireless interception
- Card-not-present (online) fraud is far larger than contactless fraud in value terms — criminals prefer to use stolen card details remotely
- ATM skimming and POS tampering remain the primary card data theft mechanisms
The "someone stealing your money as they walk past" scenario, while theoretically possible, does not appear in the fraud statistics as a significant source of loss.
Per-Transaction Limits: Why They Matter
Most countries enforce a per-transaction limit on contactless payments without additional authentication (PIN or biometric):
- UK: £100 per tap (increased from £45 in 2021)
- EU: €50 per tap (varies by country/bank)
- Australia: A$100 per tap
- US: Varies by card issuer; many allow higher contactless limits
These limits bound the maximum loss from a single unauthenticated contactless transaction. Even in a loss or theft scenario, repeated use of a stolen contactless card above the cumulative limit triggers additional authentication requirements.
Contactless vs Chip vs Magstripe: The Honest Comparison
| Payment Method | Real-World Fraud Risk (Card-Present) | Notes |
|---|---|---|
| Magstripe swipe | Highest | Static data, easily cloned via skimmer |
| EMV chip insert | Low | Dynamic codes; shimming risk exists |
| Contactless tap | Low | Per-transaction limits; one-time cryptogram |
| Digital wallet (Apple/Google Pay) | Lowest | Device tokenisation; biometric authentication |
The practical conclusion: Contactless is not meaningfully more dangerous than chip-and-PIN for most consumers in everyday use. It is substantially safer than magstripe.
Card Fraud Prevention: EMV, Contactless & Digital Payments
Common Myths About Contactless Fraud
| Myth | Reality |
|---|---|
| "Someone can steal my money from across the room." | NFC range is typically 4cm in real conditions. Room-range interception is not possible. |
| "A shielding wallet completely eliminates risk." | Shielding wallets block NFC when the card is in the wallet — but the practical risk of interception while the card is in your wallet is already very low. |
| "Contactless is the fastest-growing fraud type." | Lost/stolen card and card-not-present fraud are larger categories. Contactless fraud is a small share of total card fraud. |
| "My card is being scanned constantly in my pocket." | Your card does not "broadcast" passively — it only activates when brought close to a powered NFC reader. It does not emit signals when in your pocket. |
| "I should switch back to chip and PIN to be safe." | This would represent a step backward in security. Chip and contactless are broadly comparable, with contactless offering some advantages. |
Practical Advice for Contactless Card Users
- Enable transaction alerts — you will know about any unauthorised contactless charge within seconds
- Report a lost card immediately — the primary contactless fraud risk is physical loss; reporting locks the card instantly via your banking app
- Consider a digital wallet for even stronger protection — Apple Pay and Google Pay's tokenisation means your real card number is never transmitted
- Check your statements regularly — disputed contactless charges are generally straightforward to raise with your bank
- RFID-blocking wallets are optional — they provide peace of mind for some users, but are not necessary given the actual risk profile
For Operators: Should You Disable Contactless on Your Terminals?
No — disabling contactless would push customers back to magstripe swipe, which is significantly less secure. The evidence-based recommendation is to keep contactless enabled with appropriate per-transaction limits and cumulative authentication thresholds.
If you are concerned about the security of your terminals more broadly, a security assessment is more appropriate. ATM Security Consulting
Frequently Asked Questions
Q: Can someone steal my contactless data without touching me? A: In practice, NFC requires proximity of a few centimetres. Practical wireless interception of financially useful data from a distance is not supported by evidence from real-world fraud cases.
Q: Is tap-to-pay safer than inserting my chip card? A: Both are considered secure methods. For contactless physical cards, the risk profiles are broadly comparable. For digital wallet tap-to-pay (Apple Pay, Google Pay), tokenisation provides an additional security layer that makes it marginally stronger.
Q: My bank charged me for a contactless transaction I don't recognise. What do I do? A: Report it to your bank as an unauthorised transaction and raise a dispute immediately. How to Dispute a Fraudulent Bank Charge: A Step-by-Step Guide
Q: Does carrying multiple contactless cards together cause issues? A: Yes — if multiple contactless cards are too close together during a tap, the reader may have trouble determining which card to process (called "card clash"). Keep your intended payment card separate from others during the tap.
Q: Are contactless transactions insured? A: Contactless transactions are covered by the same consumer protections as other card transactions. Unauthorised transactions can be disputed with your bank under the relevant payment regulations.
Internal Links
- Card Fraud Prevention: EMV, Contactless & Digital Payments — Card Fraud Prevention Guide
- Card Fraud Prevention: EMV, Contactless & Digital Payments — Magstripe vs EMV vs Contactless
- Contactless Card Fraud: Facts, Myths, and What the Research Says — NFC Relay Attacks: Awareness Guide
- Card Fraud Prevention: EMV, Contactless & Digital Payments — How Tokenisation Protects You
- Apple Pay Fraud: Common Scams and How to Stay Safe — Apple Pay Fraud
- How to Dispute a Fraudulent Bank Charge: A Step-by-Step Guide — Dispute a Fraudulent Charge
Last Updated: February 2026 | Educational purposes only. Contact your bank if you have an unauthorised contactless charge.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.