NotionalLabs

Pretty close - functionally, the maximum distance you might expect a phone-based reader to work is about 10cm at a push. Thankfully the design of NFC is such that the physics of any sort of long-range reader antenna would require it to be unconcealably large. It's pretty awkward to pull this off (although probably not much more than "traditional" pickpocketing) and is probably only really feasible at rush hour. If you keep the bank card you use for contactless travel separate from other contactless cards, you might want to reconsider - the "card clash" problem TFL warn you about when tapping in would be pretty effective at stopping someone surreptitiously reading your card from outside your wallet. Jim

Sorry to hear you might have been the victim of electronic pickpocketing - it's certainly possible but perhaps not quite like the others have suggested here. Contactless cards contain secret information that can't be cloned (secret keys unique to the card) that, when combined with one-time per-transaction information from the card reader, securely authenticates your card as being present. Things like your card number and expiry can be cloned via contactless, but that's not enough to make a transaction these days. The passive cloning attacks Penguin68 described are sort-of possible against contactless cards (in limited circumstances where shoddy implementations of backwards compatibility features can be used to downgrade the security to old-fashioned mag-stripe levels), but they aren't very common. The most likely way you were virtually pickpocketed was via a relay attack. All the thief needs is a partner in crime near a shop/payment terminal and two hacked Android phones running NFC relay software. The thief stands next to you in the platform or train, close enough to read your card through your wallet or bag, and his accomplice tries to make a purchase using the other phone (think like Apple Pay) which emulates your card via NFC. The payment terminal reader has a real-time conversation with your card over the thief's makeshift phone-to-phone relay so it's able to authenticate each transaction using your real secret key as if your card was really there. The reason your bank likely caught on was because of the number of transactions in quick succession ("velocity") and the impossible travel time between merchants, etc flagged their fraud detection systems. The way this stuff works means there could be multiple accomplices attempting transactions as fast as they can whilst the window of opportunity is open (i.e the thief is able to stay close enough to you to read your card). Long story short, get an RFID proof wallet like the others suggested and be very wary of people who seem to want to hold their phone next to your bag/purse/wallet. If the BTP do follow up with you, if you do recall anyone following our standing closely (hard to tell on a London commute for sure), might be useful for CCTV. Hope this explanation was interesting and maybe put your mind to rest a little about using the oyster readers - that part is pretty safe, generally speaking! Jim

Hey all, I work with malware professionally and just took a quick look at the link to see if I could put folks mind at rest if they had clicked the link unwittingly. Good news is that there doesn't seem to be any drive-by downloads or anything - it's a fake blog website that loads a ton of ads (probably part of an ad-click fraud campaign). You can't rule it out though so please don't be tempted to click the links. Hopefully the forums spam filter will catch up soon. Best, J