Link to the original paper.

[PDF] http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

That the system is flawed and that they tried to keep it secret doesn't seem new. What really troubles me is the presumption on the part of the regulators that the system is safe to the point of just believing the word of the banks when they say the transaction was properly authorized, thus making the customer effectively liable for fraud even though the law says otherwise.

I think the point raised in the paper about the system being defeated by torture are a bit over the top. If some ruthless individuals break into my home with the intention to torture people just to gain a few bucks... then I'm screwed whether I own a card reader or not.

If the card didn't require a PIN, then they wouldn't need to torture you for it. They could just steal the card. So the risk to security has been moved to your physical person, making you less safe.

All biometric security systems have the same issue.

Sure, it's over-dramatic. But the point is it lowers the benefit of having money in the bank instead of a safe at home (or business.)

I wonder if this applies to the HCBI system popular in Germany as well. Sadly there seems to be little technical information on it out there.