[mcv]

If payment can be authorized through the chip by mere proximity, without any explicit authorization by the owner, then it's still insecure. Of course the thief would need to have an official payment terminal, but those are everywhere.

I use my app, not my card, for this reason.

[kibibyte]

Technically yes you are correct, but the threat model here is similar to someone grabbing a card from you and dipping it into a terminal chip reader without your permission. This is what the PIN part of chip-and-PIN protects against; the chip part (also applicable to EMV contactless) protects against card duplication and transaction replay.

There is a huge difference between this kind of attack and what an attacker can do with the old scheme of magnetic swipe data over RFID. With the former, the only thing an attacker can do is perform a real transaction in that moment; this transaction leaves behind an audit trail tied to a real merchant (the operator of the terminal) and their bank account. An attacker cannot, however, initiate additional payments without accessing the payment card again, and without access to the cryptographic secrets held by the payment service provider, they cannot extract the card number to use for online transactions.

With the latter, it's equivalent to skimming a the magnetic stripe: an attacker can clone the card and reuse it for transactions as often as they'd like for whatever amounts they can authorize. In addition, they will have access to the plaintext card number, which would allow them to use it for online transactions. And absolutely none of this leaves behind an audit trail of how the attacker got your card.

[blep-arsh]

They would also need a bank account. I'm not sure whether it's possible to receive card payments anonymously.