And regardless of whether you claim the evidence is inconclusive, it is simply not acceptable to dismiss a known vulnerability in something important by saying "I don't know of any case where it has been exploited yet."
I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.
It is good to hear that UK banks are apparently no longer shifting liability, but this case, and others, show that banks were shifting liability until it was irrefutably demonstrated that the system was not as secure as they claimed. 'Liability shift' is not a term invented by conspiracy theorists: banks were explicit about this being a primary goal of EMV, so it does not require a leap of faith to accept that it happened. Sadly, neither is a leap of faith required in accepting that the banks' first response to evidence of weaknesses was to deny their exploitability.
Does your statement about UK banks no longer shifting liability apply in cases of fraud against merchants?
They only refund credit card transactions if suspected with fraudulent. Debit card transactions are held and investigated. I've had a card ripped and lost £500 permanently because the bank decided I had made the transaction. I had to small claims them to get it back. I have seen at least three other people lose against the bank.
Exactly. All it does as far as I can see is flag the transaction as card holder present. The PIN is easy to steal as well evidenced by the number of fake reader heads and cameras found attached to ATMs as well.
I know that flaws have and will continue to be discovered in those authentication systems, and also that a theoretical shift in liability occurs. Any bugs will need to be fixed, and that's important. But you can't ignore the situation in practice – liability is not being shifted, and all UK banks and credit card providers are pretty happy to refund fraudulent transactions regardless.