Storm, meet tea cup
Firstly, to declare my interests. I work in information security at a bank and I know the people at UK Payments (APACS).
Although I do not know who wrote the response, it was obviously from pure personal frustration at a rather improbable hack.
The thing to remember is that if you can physically break into and control a machine you can do all sorts of things.
Here's an exercise for the student: imagine a scenario in which this hack could be used. Whatever scenario you imagined, you can almost certainly think of an easier and more profitable exploit in those circumstances. (In this case the question is where is the shopkeeper? Where is the fraudster? If the shopkeeper is missing, and the fraudster is in the shop, it might be easier just to leg it with the goods).
Many people in the banking security industry do the kind of analysis which Prof Anderson's team publish - although sadly we don't often get a change to build the toys themselves and we don't get PhDs out of it ;-) But you have to keep in mind the misuse case, the scenarios you are protecting against. This is the key to staying sane, staying focused on the important risks, and not obsessing over the wrong details.
Prof Anderson has an honorable record in defending innocent customers against the banks' technological conceits, and I expect this is part of that continuing battle. But this one is a storm in a tea cup.