Criminals could steal large amounts of money from people's pockets using a mobile phone, because of a glitch in Visa's contactless credit cards, researchers have said.
A study at Newcastle University found the flaw applied to foreign currency transactions.
But the scientists acknowledged they had not examined the security checks banks have in place.
Visa said it would be "very difficult" to carry out such a theft in reality.
Transactions using contactless credit cards do not use a Pin code, so have a £20 limit as a safeguard.
But the study found a transfer of anything less than a million units in any foreign currency would be approved.
Researchers set up a "point of sale terminal" - the equivalent of a card reader in a shop - using a mobile phone.
They said transactions with the card were approved in less than a second.
"All the checks are carried out on the card rather than the terminal, so at the point of transaction there is nothing to raise suspicions," said Martin Emms, lead researcher on the project.
"By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
He acknowledged the study had not looked at the security systems banks have in place to prevent fraud.
But he added it was not clear, looking at the payment protocol, how banks would deal with the problem.
Visa said it had reviewed the research and it did not take into account "multiple safeguards put into place throughout the Visa system".
"For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment," its statement said.