Contactless Skimming

Contactless skimming involves using a covert NFC or RFID reader — concealed in clothing, a bag, or a portable device — to read data broadcast by contactless payment cards when in close proximity. Many contactless cards transmit basic card details (card number and expiry date) in response to any NFC reader, not just legitimate payment terminals, which creates the opportunity for passive data harvesting.

The data retrieved through contactless skimming is typically limited to the card number, expiry date, and sometimes recent transaction data, but not the CVV (card security code) or the cardholder's PIN. This data is sufficient to conduct card-not-present fraud — placing online orders with merchants that do not require the CVV — though it cannot be used to clone a chip-and-PIN card.

The practical threat is somewhat debated: researchers have demonstrated the technique under controlled conditions, but evidence of widespread real-world exploitation is limited because the same data can be obtained more easily through phishing or data breaches. Nonetheless, RFID-blocking wallets and card sleeves are widely used as a precaution, and most modern contactless cards implement protections limiting the data exposed.