I really wouldn't be surprised. The security group at my university do a lot of stuff on banking security, and from what I've heard, this was one of the main reasons behind the switch to chip-and-PIN in the UK --- the user is now liable when his card gets stolen and used.
And, from many years of personal experience, quite a lot of people don't treat their card and PIN securely. This might be in the form of (and these are genuine examples):
1. Writing the PIN on a post-it note and sticking it to the back of the card.
2. Writing the PIN on some paper and keeping it in the same place the card is kept.
3. Giving the card to someone else (partner, kids, relatives, etc.), along with the PIN, to run an errand for them.
4. Saying the PIN out loud as they type it in.
5. Asking the customer assistant/whoever is dealing with the transaction to enter the PIN for them.
Chip&Pin, while claiming to be more secure, enabled and made convenient basic forms of fraud, such as that in points 3 and 5.
I'd actually argue that the shifting of liability from the card issuer/merchant to the card holder/customer in the UK is a direct consequence of C&P allowing careless people to be more lax with the security of their card.
The worst thing is the chip+pin machines that do not have any shield to hide you punching the pin in, and then to just add insult to injury, they're the kind of buttons that you have to forcefully press with all your might to get them to register. So it's blatantly obvious to anyone taking notice which buttons you pressed.
Richard Clayton (etc) have lots of interesting stuff about bank security (and the lack of) - they've attacked chip and pin, which means that if someone does manage to defraud the card the owner might have some chance of getting the cash back.
