A new protocol flaw in retail security has been discovered by researchers at Cambridge University. The flaw allows criminals to use chip and PIN cards without actually having the PIN number. By putting a man-in-the-middle device between the card and the terminal, criminals can trick the terminal and the bank into thinking that the PIN was entered and was verified even though this isn’t the case.

IT security issues aside, who becomes liable if such a crime becomes widespread?