What prevents people getting charged over NFC in crowded places?

There is nothing to stop the NFC being read from a card in the UK according to this study conducted recently by a security firm called ViaForensics.

On a NFC enabled phone the article states that the NFC hardware is switched off when the screen is not lit.

original link (broken as of 2015-oct-27)

The card is supposed to authenticate the reader, so that only legitimate (bank-issued) readers can access the card. This does not preclude a legitimate reader making fake payments, either because the merchant is dishonest or because the reader was stolen. The payment should be traceable though, and the bank should be responsible for any charge resulting of their lack of security.

Banks and other providers of financial services are waffling between always requiring a PIN (which is disruptive, and is vulnerable to terminal spoofing anyway) and not requiring a PIN for small transactions (which is risky, but practically required for use cases such as paying for a subway ticket when passing a fare gate).

Note the “supposed to”, “should”, etc. This is a new ecosystem, and the security expectations haven't crystallized yet. The security achieved by NFC cards and devices tends to be less than chip-and-PIN contact cards, but more than filling out the card number and expiration date on a web page.

you have to enter a pin to complete the transaction. source: http://www.google.com/wallet/how-it-works-security.html