The onus is on the bank to prove you gave the key out, very hard to do so customers should still get refunded.
The Chip & Pin scheme has nothing to do with improving security.
It is the Banks' attempt to shift the burden of proof onto the Customer in cases of fraud.
Liability shift
Canadian Imperial Bank of Commerce (CIBC) spokesman Rob McLeod said in relation to a $81,276 fraud case: “our records show that this was a chip-and-PIN transaction. This means [the customer] personal card and personal PIN number were used in carrying out this transaction. As a result, [the customer] is liable for the transaction.”
The Globe and Mail, 14 Jun 2011
https://media.defcon.org/dc-19/presentations/Barisani-Bianco-Laurie-Franken/DEFCON-19-Barisani-Bianco-Laurie-Franken.pdfTo avoid liability for fraudulent transactions, the Banks are routinely telling the courts that Chip & Pin is uncrackable. Any frauds, say the Banks, must, by definition, be due to customer negligence.
But that is manifestly untrue.
There are countless weaknesses in Chip & Pin, and in its implementations.
Here's another published paper from 2010, from Professor Anderson's team working on Chip & Pin flaws:
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdfMany more flaws remain hidden, thanks to the Banks themselves. The Courts are often used to gag academics like Anderson who were going to reveal more weaknesses in the scheme.
Nothing to hide, nothing to fear?
Embedded devices are inherently untrustworthy. They offer numerous vectors of attack. Who makes the final build of the embedded firmware? Who audits the firmware images for "inconsistencies" before they are rolled out? Who burns the firmware to ROM? Where is that done? In some faceless fab facility, out of sight and away from scrutiny?
Many software backdoors are deliberately introduced by organised criminals who have weaseled their way into the build process. These backdoors are left dormant to be exploited only rarely to minimise detection.
This is not a problem that is unique to banking. Politics also has a magnetic quality for criminals.
The electronic voting machines introduced in the 2001 US Presidential Election were highly dubious. The directors of Diebold, the makers of one machine, were openly stating their support for presidential candidate George W. Bush.
And indeed, the Diebold machine was found to be riddled with flaws. Some of the flaws were almost certainly introduced deliberately.
Ultimately, it was shown that an attacker could log into the machine over 802.11 where the vote tallies for the candidates could be altered without leaving any audit trail.
In 2006, academics in the Netherlands made a mockery of the flaws in their voting machines by reflashing the firmware over a hacked wireless connection to the machine. Instead of TouchScreen Voting Software, voters were presented with a chess game on the screen!
It would be funny if it wasn't so serious.
http://wijvertrouwenstemcomputersniet.nl/English