Originally Posted by
travisc
EMV/Chip cards require the physical card to authorise the transaction (assuming terminal is chip/EMV enabled, and the payment network will only accept transactions from terminals that use the chip/EMV). You would need to steal the card (not just clone it) to make the transaction. This is harder and more obvious than forging a signature.
No, you don't need to steal the card. The EMV card is vulnerable to MitM. You can put your card in a compromised terminal at McDonalds, enter your pin, and the whole transaction can be happening realtime somewhere else, buying a different product, for a different price. You would think you're buying a burger in london, but instead you're getting a free burger while buying diamonds for someone in Switzerland, for example.
EMV cards can also be cloned. It's much more difficult that cloning the magstripe of the card, but it's possible.
Additionally, there are cases where PINs are not entered at all, because thieves have been able to send a false signal that claims a PIN was correctly entered even if it was not. This attack works on wireless POS terminals.