At least with RFID, the actual data stored on the chips is minimal. To do something truly malicious typically requires being able to correlate that with some other data.
Sure, the forthcoming US passports no doubt store more. But at least there have been some token efforts to prevent reading of the data when the holder is unaware.
The findings of some University of Massachusetts, Amherst researchers, though, is particularly distressing. The metaphor they use to sum up their findings is like wearing your name, credit card number and expiration date on a t-shirt. And this despite security claims being made by the credit card companies.
The card companies’ protestations seem especially weak. How can upstream protection measures deal with a total exposure of the only data online merchants typically require? Or enough data to clone the card so that many brick and mortar stores would accept it as the real thing? Sure, twenty cards is an admittedly small sample, but they didn’t find a single one in that twenty that used any form of effective encryption. If the card companies are touting encryption, I would have expected a few, or even at least one, to have some sort of encryption? Wouldn’t you?
Regardless of the arguments of the companies involved, this research helps us, the public, decide whether the convenience of no-touch cards is worth the potential risks. I sure won’t be getting one any time soon, not until one that claims to use provable, end-to-end encryption is verified as such. And I am not holding my breath.