As it says, that's a long-known theoretical vulnerability, and one that
a) is not possible on certain cards where the result of PIN entry is cryptographically signed
b) is not applicable to contactless at all, since the card is not asked to verify the PIN