In the technical security world we had a keen interest in the vulnerabilities of RFID Prox readers and cards. The 'long range' readers were considered too vulnerable to attack so very short range types were used that needed the card to be virtually resting on the reader.
I saw a demonstration in the early 2000's by Tektronix of one of their DSP DSO's capturing both the high speed and low speed handshaking and communications between the card and the reader. The DSO was capable of grabbing the whole handshake and comm's event. It could then disassemble the event into individual data bits, no matter what the change in bit rates during the link. The demo proved that that the Prox card data could be captured and cloned using a decent DSO and appropriate antenna. Food for thought
It was a classic 'stand-off' attack that just required the Prox card user to present their card to the reader. The data was captured during the transaction with the card user blissfully unaware. Any card protection wallet is thus useless in this scenario.
Chip and PIN or Prox and PIN can be safer but cannot be considered invulnerable. That is why I would never consider such to be secure to Government security standards.
Why do banks take the risk ? Simple, they operate on the risk analysis models where the convenience to the customer rates high on the requirements and the vulnerability to fraud may be reduced to an acceptable level. Some people believe Banks use the best security available on the market. I will not say too much on that topic but consider the purely financial risk management that they MAY operate..... If a security vulnerability that could potentially cost them $100K a year costs $5 Million to counter, it is not unlikely that the Bank will run with the risk and just pay out to the victim when an attack occurs. That is just business. I always tried to educate the client that Reputation has a definite 'value' as well. It would seem the way to preserve your reputation in such a scenario is to just pay out to the victim without a fuss and deny, deny, deny.
Fraser