Recently a colleague sent me this scary video illustrating an attack against contact-less (RFID) credit cards.
Sigh. It is bad. It is not quite as bad as it sounds and only a little bit worse than it looks.
Watch the film again. Focus on how close the attacker gets to the target. Here is why.
The problem is not so much how the information is transferred as that it is transferred in the clear, not so much that the credit card number leaks as that credit card numbers are so easy to exploit.
Said another way, all uses of credit card numbers in the clear leak; this includes imprinters, compromised point-of-sale devices, gas pumps, and ATMs. That would not be a problem if no one would accept a credit card number in the clear from an untrusted source.
A major problem with the video is that it fails to distinguish between these RFID cards, that rely on the short range of the signal for security, from EMV cards that rely upon encryption, or even chip cards that require contact.
While many US merchants are ready for EMV, the issuers have slipped their schedule to 3Q 2015. My hope is that by that time PayPal, Google Wallet, Square Wallet, or other (are you listening Apple and Amazon?) mobile computer token-passing systems, will have made them obsolete.
For the moment, we can treat this as a vulnerability but not a problem; there are easier ways to get credit card numbers. The continued use of mag-stripe and PIN dwarfs all other problems in the retail payment system.