Comment by lxgr

It really depends. There are some contactless tags that really do nothing other than transmit a static identification number which is trivially spoofable, but many systems today use cryptography (again, some long cracked and horribly outdated, but others quite strong).

I have a contactless card that runs GPG as a Java Card applet and creates 4096-bit RSA signatures. That's pretty secure!