The whole point of the scheme this HN post is about is that it doesn't need to skim the mag-stripe.
Here's how this goes (everything in this story actually happened in England years ago, but that's before a change this story says wasn't entirely effective in eradicating the fraud)
Sarah lives in England where they are getting EMV terminals everywhere. Her cousin Terry lives somewhere which doesn't yet have terminals everywhere. Let's say it's Belgium, although in fact it was not.
Sarah owns a dozen petrol stations (that's what they call gas stations in England) and there are shiny EMV terminals arriving. Terry sends over instructions and electronic kits. The terminals are hollow and the instructions explain how to open one without the "anti-tamper" mechanism noticing and add more electronics in the convenient space.
Sarah teaches all her staff how to use the new terminals. She of course doesn't mention they've been tampered with.
You go to a petrol station, fill up your car, and hand your card to the clerk. "We got new machines" says the clerk and hands the card back. You put your card in the machine, and enter your PIN. I guess this is more secure?
In Belgium, Terry receives the magnetic stripe details of your card, retrieved from the chip using a convenient "Hey what is your mag-stripe?" API and sent over by a mobile chip in that circuit Sarah fitted. Terry has a mag-stripe writer and turns a cheap plastic card into a good-enough clone of your bank card. He sells this card to street level criminals in Belgium for €100, Sarah will get £10 per card as her cut.
Those street-level Belgian crooks need mag-stripe terminals because their cards have no chip, but you not swiping made no difference.
Edited to add:
While we're here. This is a recurring security problem. Old insecure systems can ruin it for new secure systems.
Imagine you have a brand new, up-to-the-minute TLS 1.3 only website. You use a cert for www.example.com with a nice shiny Elliptic curve public key & the corresponding Elliptic curve private key is in an HSM at a protected site, no problems. What can go wrong? Unknown to you, some numb-nuts who was angry about the company choosing Slack set up an "experimental" IRC server doing SSLv3 on port 6667 of their laptop using a *.example.com wildcard RSA cert that's still valid until next month. Bad guys who get even fairly limited access to your network can attack that IRC server, which is running on a high port on some idiot's laptop computer in corporate, not the secure datacentre where the web server is, and use it to flawlessly impersonate www.example.com if they can get on-path. They know this trick can work as soon as they find the IRC server, no special insight is needed.
Here's how this goes (everything in this story actually happened in England years ago, but that's before a change this story says wasn't entirely effective in eradicating the fraud)
Sarah lives in England where they are getting EMV terminals everywhere. Her cousin Terry lives somewhere which doesn't yet have terminals everywhere. Let's say it's Belgium, although in fact it was not.
Sarah owns a dozen petrol stations (that's what they call gas stations in England) and there are shiny EMV terminals arriving. Terry sends over instructions and electronic kits. The terminals are hollow and the instructions explain how to open one without the "anti-tamper" mechanism noticing and add more electronics in the convenient space.
Sarah teaches all her staff how to use the new terminals. She of course doesn't mention they've been tampered with.
You go to a petrol station, fill up your car, and hand your card to the clerk. "We got new machines" says the clerk and hands the card back. You put your card in the machine, and enter your PIN. I guess this is more secure?
In Belgium, Terry receives the magnetic stripe details of your card, retrieved from the chip using a convenient "Hey what is your mag-stripe?" API and sent over by a mobile chip in that circuit Sarah fitted. Terry has a mag-stripe writer and turns a cheap plastic card into a good-enough clone of your bank card. He sells this card to street level criminals in Belgium for €100, Sarah will get £10 per card as her cut.
Those street-level Belgian crooks need mag-stripe terminals because their cards have no chip, but you not swiping made no difference.
Edited to add:
While we're here. This is a recurring security problem. Old insecure systems can ruin it for new secure systems.
Imagine you have a brand new, up-to-the-minute TLS 1.3 only website. You use a cert for www.example.com with a nice shiny Elliptic curve public key & the corresponding Elliptic curve private key is in an HSM at a protected site, no problems. What can go wrong? Unknown to you, some numb-nuts who was angry about the company choosing Slack set up an "experimental" IRC server doing SSLv3 on port 6667 of their laptop using a *.example.com wildcard RSA cert that's still valid until next month. Bad guys who get even fairly limited access to your network can attack that IRC server, which is running on a high port on some idiot's laptop computer in corporate, not the secure datacentre where the web server is, and use it to flawlessly impersonate www.example.com if they can get on-path. They know this trick can work as soon as they find the IRC server, no special insight is needed.