From their paper:
"We have observed variations between countries. While
cards from Belgium and Estonia work like British cards,
we have tested cards from Switzerland and Germany whose
CVM lists specify either chip and signature or online PIN,
at least while used abroad. The attack described here is
not applicable to them. However, because UK point-of-sale
terminals do not support online PIN, a stolen card of such
a type could easily be used in the UK, by forging the
cardholder’s signature."
Their attack uses offline PIN mode. This is further expanded upon in section III.
The simplified attack is such: Basically the PIN signed block doesn't get sent to the bank. Verification is only between the terminal and the card, and the card (or rather MITM hardware) returns a "all is well, transaction approved" message when in fact no such thing happened. The terminal doesn't go online and talk to the bank and verify the signed PIN block.
This is essentially misconfiguration of the merchant terminal that ignores the result of the PIN verification.
This is similar to when you tap a card to buy something. If the merchant system doesn't go online to verify it -- which it often doesn't for small transactions (<$10) then you can game the system.
