Data sent during the processing of contactless payments can be picked up from nearly half a metre away new research has found.
Equipment hidden in a shopping trolley and a backpack, along with a pocket sized antenna, were used to catch the card information, with it able to detect the data at over four times the distance it should.
An important security feature of contactless cards is that the technology should not broadcast the data more than 10 cm away from a reader.
Wave-and go transactions enable customers to pay for purchases of up to £20, without entering a PIN code by tapping or holding a card near to a reader.
The equipment, which could collect data from up to 45 cm away, was created by Thomas P Diakos, a researcher at the University of Surrey.
At the distance, it could be possible for criminals to act without arousing suspicion, the research team claim.
"The results we found have an impact on how much we can rely on physical proximity as a security feature", Dr Johann Briffa, the lead academic supervisor told the BBC. "The intended short range of the channel is no defence against a determined eavesdropper."
"The test demonstrated that payments data can be received," he added. "What can be done with it is another question."
The UK Cards Association however has said that any potential hackers would not be able to collect enough information to be a threat.
"Instances of fraud on contactless cards are extremely rare," said a UK Cards Association spokesman.
"Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card."