But the fun part is in the comments. Comment 19 from the anonymous "Scrutineer" includes:
The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.
Which of course misses the point - it's about the interval between theft and discovery of theft - the time that someone else has your card before you're able to successfully report it stolen. This attack changes the game from "the PIN protects you better than a signature - now if someone steals your card they need to guess your PIN" back to "They only need to steal your card" (and actually easier, because they don't need to learn to forge signatures).
But the best bit is comment 22:
The chap “Scrutineer” who posted comment 19 seems to have forgotten to sign it!
Anyway he’s not very good at anonymity:
$ whois 126.96.36.199
address: APACS (Administration) Ltd
address: 14 Finsbury Square
address: EC2A 1BR
address: England, UK
Pity APACS couldn’t get it together to put up a spokesman for Newsnight
Update: It's really someone at APACS. Not an exercising in framing, taking advantage of a proxy:
A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.