![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
"GREAT NEWS!" said my bank. "WE'RE SENDING YOU A NEW NFC CASH CARD! BUY STUFF WITH JUST A SWIPE, NO PIN! YOU LUCKY THING!"
As a computer professional, I was not entirely thrilled. Not much can be nicked from an Oyster card (which has long been known skimmable), but a bank card is rather a different matter.
And guess what, it's been done: Channel 4 report, researcher's piece with more details. They can get everything off the card except the three-digit security code on the back, and there's enough online retailers (e.g., Amazon) that don't require that. (And though I've yet to see reports, it strikes me as really obvious to skim a card and get an NFC-enabled phone to pretend to be that card. Ker-ching.) The card owner's name is definitely on Barclaybank cards, others may or may not include it.
You can buy expensive anti-skimming wallets (with a wire mesh that forms a Faraday cage) — or you can just give your cash cards a fetching tinfoil hat.
Double layer of tinfoil, folded, about the size of the card. Note wifi symbol on card.
Put your Oyster, which you probably want still skimmable, at the other end of the card wallet from the tinfoil cash card, so that reflections from the tinfoil don't mess up its signal.
The above has worked well for me in practice for the past few weeks — I just keep an eye on which side I swipe on the Oyster reader. The tinfoil absolutely blocks the Oyster, so I'm pretty confident it blocks the cash card.
Edit: American Express Blue cards are also reported to give full customer details, unencrypted. If you have an NFC-capable Android phone, test your card with Electronic Pickpocket. (The crooks already have this app and better ones.) Then call your bank and scream blue murder if usable amounts of personal details are skimmable.