Interesting! Wasn't aware of that. Is this something that's being actively exploited in the wild though? It won't let me read the actual paper so it's hard for me to tell how practical the attack is.
I don't think tap to pay can be skimmed in the same way you can with swiping. You'd have to actually clone the data on the NFC chip, which isn't possible through a tap from what I understand.
Protection against account skimming should happen on the customer's iPhone (it should only send data allowing a single transaction of a certain size) not the merchant's iPhone. If the customer's iPhone doesn't have that protection it's pretty easy for the merchant to hide a skimmer in their iPhone case / POS system / gas pump.
Yes, exactly the same type of stuff. And the other day a legitimate email from a company I was interviewing with (from an email address I have had two way communication with) got marked as a promotion.
Either way though, this is different from skimming. Skimming allows the skimmer to make future transactions which is much much worse.