Comment by DiogenesKynikos

This is already a more restricted type of attack than the common identify theft that's rampant right now in the US.

What you're describing requires the actual terminal you're interacting with to be malicious, and it can only be used to authorize individual transactions.

As things stand in the US, a much broader class of attacks are not only possible but common, in which the attacker takes over the identify of the victim and can authorize any number of transactions in their name.