Thieves could exploit a security flaw to steal key data from contactless debit and credit cards using equipment readily available online, consumer group Which? has warned.
It said it used "easily and cheaply" acquired technology from a mainstream website to take enough information from cards to place orders for items including a £3,000 television set.
Researchers tested six debit cards and four credit cards, and Which? said they all revealed some data.
A spokesman said: "Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.
"We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).
"We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.
"We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address."
Contactless payment continues to grow rapidly in popularity, with more than £2 billion spent through the system last year, according to the UK Cards Association.
The limit for a single contactless transaction is £20 - but from September 1 onwards a higher limit of £30 will be rolled out.
The Which? spokesman said: "By touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless."