Most current on-board stuff is done via offline authorisation.
So you stick your card in/swipe it, the machine stores the details and amount, operator looks at the signature and verifys it (yeah, right!) or the machine checks the pin entered against the pin on the chip. As long as nothing is odd comes up(A C&P card has exceeded its limit for offline transactions) the transaction is agreed and off you go. Its a sort of honour system in a way.
Then at the end of the day, the terminal is connected to the network and the transactions get uploaded to the processing centre. These can be refused for plenty of reasons. So you basically have a window where fraud is very easy, because a card can't be added to the list of stopped cards on the terminal until this is done.
Online transactions connect to the payment processor there and then, and can check if the transaction is valid (card not stolen, enough in account, card allowed to be used with this sort of retailer etc.) and fraud is much harder. Of course, you need a network connection there and then which is difficult on a moving train.
The excuse that they dont want to upgrade to Chip and Pin because its too expensive is an odd one. Their payment processor should have pushed Chip and Pin onto them back when it launched, as it does somewhat reduce the risk of fraud (cant simply steal a card and use it by faking the signature as you need to know the pin too). Its more likely they dont want to move onto online transactions, because that would cost money to ensure the kit is there to provide a good connection. Imagine the fun when rushing through tunnels