You then immediately use this "money" to buy gift cards, which you then sell on, turning the dirty money into clean money. By the time they have traced back the money to the gift card, you're long gone (you can also cross international borders a couple of times to make things difficult/slow).
The fact banks shut down the Mythbusters' investigation into just how insecure contactless cards are really tells you everything you need to know. They know full well they are completely insecure, and they want to keep it hush hush.
Now contactless phone transactions are secure, but contactless phone transactions require action from the user to confirm the transaction. If the plastic cards had you press a button to activate contactless-mode they would be fine too, but they don't...
NFC is great technology that has a lot of uses. This is just a mis-use.
Sources:
research - https://www.shmoocon.org/2012/presentations/Paget_shmoocon20...
presentation - https://www.youtube.com/watch?v=HRXb-FZ6WFM
summary - http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers...
I like your idea of button though, it wouldn't be too intrusive and it would limit some case.
The real question is whether the banks will accept the transaction.
The terminal never sees "foreign currency". It is the responsibility of Visa/MasterCard to perform currency conversion.
Your card, which sees itself as a payer of AUD, gets a request for a transaction in GBP. This research suggests it will authorize the transaction even if it is above whatever normal local limit you have on AUD transactions.
Whether that's actually true or not, is unknown at this stage - this was a test on a UK contactless card, so maybe we have a slightly different arrangement than your Australian contactless card would.
It's also fairly unlikely that the payment processors would accept a transaction higher than the contactless cap, just because it's in a foreign currency.
It's also entirely possible that they don't bother enforcing a limit because the UK banks involved won't accept any foreign currency contactless transactions. I've never tried to use my UK contactless cards abroad.
While the authors claim to "appreciate that banks will have a number of security systems in place to prevent fraud", they seem to neglect that those systems should effectively render the attack impossible:
- There are limits for CVM-less transactions; not only in the application running on the chip, but also for terminals. I think that there is one limit above which a CVM (e.g. PIN or signature) is required, and another limit for offline authorizations. CVM-less high-vale transactions would not only be suspicious, but even non-compliant for most card schemes.
- It is not trivial to apply for a merchant account, and I guess that a new account would not be allowed to immediately withdraw recently acquired funds. (If it were that simple, magnetic stripe card skimmers could simply apply for a merchant account and avoid all the hassle with PIN skimming, finding vulnerable merchants or ATMs etc.)
- A merchant with a higher than average rate of transactions challenged by cardholders will surely be scrutinized even more closely.
All in all, the implemented failure mode of offline-authorizing all transactions in unknown currencies seems like a really bad idea and should be improved. The rest of the paper seems like speculation, though.
(Compare e.g. to Steven J Murdoch's work ("Chip and PIN is broken" etc.), where the claims have been verified with an actual payment terminal.)
Allowing anyone to take my money without my explicit approval, even if it's only up to 20 pounds at a time, is simply begging to be abused. I don't understand how anyone could possibly have thought this was a good idea.
