> The solution for the wise customer is to go inside and use the POS terminal at the counter if possible.
That's irrelevant to this attack. Bad guys aren't obliged to use that terminal, and they're the ones relying on access to a mag-stripe reader.
However for that "old school" attack EMV could help if it was deployed. Because EMV cards have state, they can have arbitrary rules about how often they're willing to perform offline transactions and how much value for. So e.g. a card can decide it won't do more than five offline transactions or more than $100 of transactions without going online.
I should have been more clear: the first sentence was meant for defeating skimmers and the like. Nothing to do with helping the retailer, just the end consumer.
You're entirely correct with EMV. Additionally, more gas stations are moving away from the old satellite connections, and an m2m cellular card in a POS terminal is a lot harder to shut down (at least without the cashier noticing).
The whole point of the scheme this HN post is about is that it doesn't need to skim the mag-stripe.
Here's how this goes (everything in this story actually happened in England years ago, but that's before a change this story says wasn't entirely effective in eradicating the fraud)
Sarah lives in England where they are getting EMV terminals everywhere. Her cousin Terry lives somewhere which doesn't yet have terminals everywhere. Let's say it's Belgium, although in fact it was not.
Sarah owns a dozen petrol stations (that's what they call gas stations in England) and there are shiny EMV terminals arriving. Terry sends over instructions and electronic kits. The terminals are hollow and the instructions explain how to open one without the "anti-tamper" mechanism noticing and add more electronics in the convenient space.
Sarah teaches all her staff how to use the new terminals. She of course doesn't mention they've been tampered with.
You go to a petrol station, fill up your car, and hand your card to the clerk. "We got new machines" says the clerk and hands the card back. You put your card in the machine, and enter your PIN. I guess this is more secure?
In Belgium, Terry receives the magnetic stripe details of your card, retrieved from the chip using a convenient "Hey what is your mag-stripe?" API and sent over by a mobile chip in that circuit Sarah fitted. Terry has a mag-stripe writer and turns a cheap plastic card into a good-enough clone of your bank card. He sells this card to street level criminals in Belgium for €100, Sarah will get £10 per card as her cut.
Those street-level Belgian crooks need mag-stripe terminals because their cards have no chip, but you not swiping made no difference.
Edited to add:
While we're here. This is a recurring security problem. Old insecure systems can ruin it for new secure systems.
Imagine you have a brand new, up-to-the-minute TLS 1.3 only website. You use a cert for www.example.com with a nice shiny Elliptic curve public key & the corresponding Elliptic curve private key is in an HSM at a protected site, no problems. What can go wrong? Unknown to you, some numb-nuts who was angry about the company choosing Slack set up an "experimental" IRC server doing SSLv3 on port 6667 of their laptop using a *.example.com wildcard RSA cert that's still valid until next month. Bad guys who get even fairly limited access to your network can attack that IRC server, which is running on a high port on some idiot's laptop computer in corporate, not the secure datacentre where the web server is, and use it to flawlessly impersonate www.example.com if they can get on-path. They know this trick can work as soon as they find the IRC server, no special insight is needed.
That's irrelevant to this attack. Bad guys aren't obliged to use that terminal, and they're the ones relying on access to a mag-stripe reader.
However for that "old school" attack EMV could help if it was deployed. Because EMV cards have state, they can have arbitrary rules about how often they're willing to perform offline transactions and how much value for. So e.g. a card can decide it won't do more than five offline transactions or more than $100 of transactions without going online.