A security flaw could allow thieves to steal information from contactless payments cards of millions of people, allowing them to buy items costing thousands of pounds.
Card-reading technology, which was acquired "easily and cheaply" online by Which?, allowed researchers to remotely "steal" enough data from the cards to make purchases – including that of a £3,000 television.
The group has said six debit cards and four debit cards were tested in the study, and all of them revealed some data.
But is everybody who uses contactless payments at risk – and what should they do if their data is stolen?
Who could be affected by this?
A total of 58 million contactless cards are currently in circulation across the UK, according to Which?, although the group does say statistics are not available for the number of thefts committed by contactless card readers.
The researchers did say though that all of the cards they tested, six debit cards and four credit cards, revealed some information – which would suggest many cards are susceptible to such techniques.
The UK Cards Association, the card payments industry's trade body, has pointed out however that last year, the total loss from contactless fraud was £153,000, compared to £2.32bn total spending – the equivalent of 0.7p in every £100 spent. Gadgets and Tech News in Pictures
How is the data stolen?
Your account information is contained on a chip held within your contactless card, which is transferred to a card-reading terminal when the two come into close contact.
The team at Which? said they were able to obtain card-reading technology from "a mainstream website" to allow them to steal information.
A spokesman said: "Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards."
Would thieves not need more information in order to buy items?
Making purchases online and over the phone usually requires not only the card number and expiry date, but also the name of the cardholder and the card's security, or CVV, code.
While the team did not expect to be able to make purchases without these details, they were proved wrong.
The spokesman said: "We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).
"We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.
"We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address."
READ MORE
Tfl says Apple Pay users will face charge if battery runs out on Tube
Which banks and cards support new Apple Pay system?
Denmark moves closer to a cashless society
New jeans stop hackers getting in your trousers
Aren't contactless card payments limited to £20?
Yes, although the limit will in fact be increased to £30 in September. Regardless, this limit is for contactless payments only. Having obtained the card details, the team were able to shop online, and so the transaction limit was bypassed.
The Which? spokesman said: "By touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless."
What can I do to protect myself?
The UK Cards Association has said this is not a new issue, and indeed there has been advice circulated for a number of years on how cardholders may be able to stop their details from being stolen.
Metal cases are available to buy which claim to protect cards from such readers, while Which? said in their tests they found wrapping a card in foil did stop the details from being taken by their reader.
In December last year meanwhile, The Independent reported how new jeans had been endorsed by computer security firm Norton after they were launched to keep "digital pickpockets" at bay.
The jeans, along with a blazer, contain pockets with fabric that blocks the waves criminals use to steak the data.
What should I do if my details are stolen?
The UK Cards Association has said consumers are "fully protected against any fraud losses on contactless cards and will never be left out of pocket".
A spokesman said: "If you think your data has been stolen then contact your bank or card company straight away and report it.
"Essentially, if there is fraud on your account you will get your money back."
