Speaking with InfoWorld, Fu, who is an assistant professor of computer science at the University of Massachusetts, said that in the last year, the card industry has corrected some of the faults of the first generation of RF cards but that many cards still broadcast information like a credit card account number in an unencrypted form.

Card companies don't consider the account number to be "personally identifiable information" or PII, acknowledged Nasreen Quibria, a senior payments industry consultant at the Federal Reserve Bank of Boston.

"Stealing information from these cards is not as easy as it may seem, but I'm concerned that consumers are unaware that their information is being broadcast in the clear," Fu said.

The payment card industry continues to take a dim view of Fu's research, arguing that attacks that eavesdrop information from RF cards would be all but impossible to carry out successfully outside of the laboratory, that newer generation cards mask the account holder's name, and that an arsenal of other security features stand between fraudsters and successful transactions, including CVCs (card verification numbers) that are generated dynamically with each transaction and hefty back-end fraud detection systems, said Visa's Triplett.

"Each (contactless) transaction is unique. There's data that's generated on the card itself, then encrypted and sent through the network for validation of the transaction," Triplett said. "It's not just the 16 digit account number. You have to have additional information."

"If you look at fraud on card platforms versus other kinds of payments, it's a small fraction," he said.

Triplett noted that card issuers like Visa reviewed Fu's research when it came out but concluded that they had the "right level" of security in place for stakeholders in the payments system: consumers, banks, and merchants.

Still, the payment industry may be making at least one concession, turning a recommendation that RF cards be shipped with protective mailing shields into a mandate, Triplett said. The shields prevent eavesdropping of card information while the card is still in its mailing envelope -- a technique that Fu and his fellow researchers used to obtain card information.

Outside of that, the payment card industry is limited in what it can do by a legacy infrastructure of card readers that can't handle RF transactions. That means that even new RF cards have to sport magnetic stripes that contain cardholder and account information on them in unencrypted form, said Triplett.

"You have to look at the complete picture, and when you get the full picture, you see that the RF makes (payments) more secure," he said. Besides, if all else fails, consumers have zero liability for fraudulent transactions.

Still, payments industry experts anticipate a long-running arms race between the payment card industry and increasingly sophisticated fraudsters who will be motivated to test the limits of the new system, especially as contactless payments features migrate to cell phones and other devices.

Still, Fu and others say that the payment industry's preference for keeping the details of how its contactless technology works under wraps will make it difficult to assess how well the industry is standing up to hackers.

"Public scrutiny is important," he said. "It's great that they're doing work in-house, but we won't know if it's not working unless there's public scrutiny and openness," Fu said.

SSL is one such example of a widely used encryption technology that has been vetted and improved through the efforts of independent researchers, Fu said.