It's a risk, but you can fix it on the backend, away from the end-user. If they were bitcoins then sure you need interaction for NFC. But credit cards are a closed system on the merchant side, any new identity pulling only NFC traffic would be very suspicious. NFC would always be an expected proportion of overall captures. So it's simple to defend against this attack without killing the feature.