I stumbled upon this stackoverflow question : What encryption mechanism is used for EMV contactless transaction information ?
The answer is simple : none. The communication between an EMV card and a contactless reader is not encrypted. You can easily eavesdrop and record the exchanged APDUs, for example using the Fime SmartSpy contactless spy.
But that doesn’t mean you’ll be able to clone a card, or to perform transactions using the recorded dialog. Continue reading