An increasing number of credit cards now contain a tiny wireless computer chip and antenna based on RFID (Radio Frequency Identifier) and contactless smartcard technology. RFID-enabled credit cards permit contactless payments that are fast, easy, often more reliable than magstripe transactions, and require only physical proximity (rather than contact) between the credit card and the reader. An estimated 20 million RFID credit cards and 150,000 vendor readers  are already deployed in the U.S. According to Visa USA , “This has been the fastest acceptance of new payment technology in the history of the industry.”
The conveniences of RFID credit cards also lead to new risks for security and privacy. Traditional credit cards require visual access or direct physical contact for retrieving information such as the cardholder’s name and the credit-card number.By contrast RFID credit cards make these and other sensitive pieces of data available using a small radio transponder that is energized and interrogated by a reader.
Experimental Results: Although RFID-enabled credit cards are widely reported to use sophisticated cryptography [3,15,18,21,29,32], our experiments found several surprising vulnerabilities in every system we examined. We collected two commercial readers from two independent manufacturers and approximately 20 RFID-enabled credit cards issued in the last year from three major payment associations and several issuing banks in the U.S. We were unable to locate public documentation on the proprietary commands used by RFID-enabled credit cards. Thus, we reverse engineered the protocols and constructed inexpensivedevices that emulate both credit cards and readers. The experiments indicate that all the cards are susceptible to live relay attacks, all the cards are susceptible to disclosure of personal information, and many of the cards are susceptible to various types of replay attacks. In addition, we successfully completed a proof-of-concept cross-contamination attack.
Given the size and diversity of our sample set we believe that our results reflect the current state of deployed RFID credit cards; however, card issuers continue to innovate and will likely add new security features. Our findings are not necessarily exhaustive, and there may exist cards that use security mechanisms beyond what we have observed.