Works for me too - Nexus 5, MasterCard PayPass. The app in its current form isn't dangerous, it takes ~2 minutes to read the card and if the screen goes off or the reader loses contact you have to start again.

That sounds very odd; I compiled the app mentioned here and it took more like 200ms to read the info from my UK contactless VISA card.

But this whole attack isn't anything new — this was pretty widely reported back in 2012 in the UK, e.g. http://www.channel4.com/news/millions-of-barclays-card-users...

I wrote essentially the same proof of concept app two years ago after seeing that report pretty much just by reading the specs. From reading the paper mentioned on GitHub, the only real difference to what I wrote is that I didn't check for the CVC3 information (which I think is generally not included, or doesn't correspond to the actual security code on the back of the card).

But in any case, just the card number and expiry number are enough — as mentioned in the Channel 4 report — to make purchases from a lot of places.

If CVC3 is anything like CVV and CVV2, it's probably intentionally different than what's on the back of the card. Mag-stripe VISA cards have a three-digit code embedded in the stripe (this is the CVV), and a different three-digit code on the back of the card (the CVV2). Different brands of cards use the same model, but they don't always call them CVV/CVV2, and the number of digits may be different. The numbers are different so that use of the card is a magnetic reader can be differentiated from someone typing it in.

Doesn't this make it an impractical attack in most situations? I've never thought that buying RF shielding cases is of much use for 99% of situations, and this seems to support that theory.

Or should I rush out tomorrow and get one? (Australia, so yep, all of them are paywave, whether you want them or not).

Though as I understand from the source this also acts as an emulator, so if you scan your phone it may replay those card details, worth keeping in mind.

I'd love this. My bank wants me to pay $2.99 for a sticker to go on the back of my phone (to do contactless purchases) while supporting Galaxy S* phones natively...

Google Wallet's "Tap and Pay" works with select phones in the US: https://support.google.com/wallet/answer/1347934?hl=en

You might also be interested in Coin: https://onlycoin.com/

Sounds to me like his bank is the Commonwealth Bank of Australia(1), so Google Wallet is a non-starter. Coin is interesting, but the payments landscape in .au is rapidly moving away from card swipes to Paywave/Paypass. I've seen quite a few places that offer Cash or Tap, no swipe (I presume because of the fee structure).

1) https://www.commbank.com.au/paytag

Commonwealth Bank charge $2.99 a year regardless of what you want to do. To use their Android app, they also bill you that to have the functionality turned on.

The annual fee is not applicable in case of the PayTag (https://www.commbank.com.au/personal/can/can-tap.html). Also, can you refer me to the doc that mentions the extra cost of using the Android app for that purpose?

The Android app itself says it (I have it open right here).

Correct!

I'll try using my phone to buy coffee tomorrow, and let you know how it goes ;) (Aus, big four bank, not Commbank...)

I have PayWave too - can you explain why reading would work, but not actually using it to pay for things with your phone?

It may work, just haven't had the opportunity to try it out :)