grue, do you understand that the entire point of a smart card is that the private key never leaves the card?
and do you realize that my attack simply involves making a second transaction, which for all intents and purposes is identical to a normal transaction? until there's a way to prevent the attack, i don't see any point in discussing merchant adoption of an insecure system.