First of all, claiming that MitM is universally applicable does not obviate my point. Go re-read what I was responding to. I was correcting your erroneous claim that fraud against EMV cards requires possession of the original card.

Moreover, your claim that magstripes are MitM vulnerable is laughable, because most swipe-sign transactions today still involve old-fashioned pen and paper, where the paper being signed physically shows the purchase price shop name. You cannot simply hack a PoS terminal for it to work. The logistics of pulling that off exceed the effort of the traditional magstripe attacks. At best, you could limit your options to stores with an electronic scratchpad. After that degree of effort, you still need to prove that the lowres garbage that these things produce represents an unmistakable match for the cardholders original signature. Why does the criminal care about this once the money has moved? It's feasible at best, but it's not actually a security threat to the card holder because the thief doesn't care who takes the hit. The threat profile doesn't support the idea that a thief would needlessly forge a signature to make sure that the card holder becomes the victim.

Before I answer that, I must first say that your approach to security analysis is backwards. You don't presume that a technology in inherently secure, and then only reverse that dangerous judgment after some damaging attack is implemented, exercised, and published. This mentality keeps consumers buying unproven security and then paying the price later when the real tests are actually performed by a malicious adversary. The competent approach is to presume, by default, that a technology is weak, and require proof to the contrary (that is, proof that a significant attack effort was in fact carried out, and that the results of that documented convincing effort demonstrate that the product actually meets the security standard that it claims). Now to answer your question, CNP cards have been cloned.

Why do you think this matters? The same vulnerable terminals that cause damage to chip-and-pin users will print paper when non-CNP cards are used, so swipe and sign card holders are protected. Whether the flaw is in the chip itself is immaterial.

The vulnerabilities I'm disclosing here are by no means a comprehensive list of all attacks. If for some strange reason you must see an attack that does not require the PIN or a particularly vulnerable terminal, read about Steven Murdoch's work at Cambridge University. He proved that it's possible to hack an EMV chip and submit a PIN of 0000, and have the transaction accepted.

Of course it does. When the banks simply tell the court that their equipment is designed to not accept mismatching PINs, the court knows full well that the bank can never prove with 100% certainty that there are no flaws (it's been proven that no complex software can be 100% bug free) -- and courts accept this. Card holders are then expected to prove that they did not enter the PIN.

You're talking UK law. UK law does not apply in the US, or even the rest of Europe. The UK is actually ahead of both continental Europe and the US on this (as of 2009). Note that the thread is about chip-and-pin in the US.