October 31, 2013 - The security of contactless payment cards has again been called into question after researchers claimed to be able to pick up NFC data from as far away as 80 centimetres.

Contactless cards are designed to only work when within a few centimetres of a payment terminal but researchers from the University of Surrey say that they have successfully "eavesdropped" on a transaction from far further away using "inconspicuous equipment".

In a paper published by the Institution of Engineering & Technology's Journal of Engineering, the team says that they used portable, inexpensive and easily concealable equipment - including a pocket-sized cylindrical antenna, a backpack, and a shopping trolley - to obtain the payment data.

The equipment enabled them to reliably eavesdrop, with good reception possible even at 45 centimetres when the minimum magnetic field strength required by the standard is in use.

However, the UK Cards Association has played down the research, arguing that the data obtained by the team - card number and expiry date - would be of little use to fraudsters.

Contactless cards are now ubiquitous on UK high streets and NFC technology is also making its way to mobile phones. Around one in seven card payments of under £20 are now contactless at retail giant Marks & Spencer while Boots today revealed that it has rolled out terminals at all of its stores. The technology is also now making its way onto London's public transport network.

Yet security concerns persist - in April a survey found that a quarter of Brits find contactless payments scary. Bank First Direct recently felt the need to change its terms to make clear that customers should remove cards from wallets before making payments to avoid charging the wrong account.

Dr Johann Briffa, lead academic supervisor, says: "The results we found have an impact on how much we can rely on physical proximity as a 'security feature' of NFC devices. Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper."

A UK Card Association spokesman relpies: "Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information - and it certainly could not be used to make a cloned card."