i never understand why we all so easily trust creditcards. i also do it.
a system that basically needs an attacker to just see'n'remember both sides of your card (that you need to keep with you and not is safe) in order be able pay with your money until the card gets disabled or expires.
i noticed in the US people use it to pay by phone, and shops tend to keep that data for convenient repeat purchases.
i need a card for payments online and visits outside europe (especially visits to the US). i'm glad that i have one for those occasions, but i cannot say i think it is a safe system -- it is also constantly under attack.
in the netherlands there's a payment system that most-if-not-all webshops are subscribing to. it redirect you from the shop to the internet banking app of your own bank, there you pay (with some 2-factor kind of authentication), after which you're redirected back. i cannot help feeling a lot safer. :)
In the US, at least, it's largely a matter of incentives.
By law, consumers are liable for at most $50 if their credit card info is used fraudulently by someone else.
Credit card companies validate transactions against statistical models in an attempt to head off anything suspicious. EDIT: Thanks for reminding me of this, nialo.
But often, it's the merchants who bear the cost of a fraudulent transaction. They have the least power to encourage more secure alternatives, because everyone already expects to be able to buy online with a credit card.
Card companies in the US do have something similar to the system you mention called 3-D Secure[1], but it hasn't gained wide traction. The interface is implemented so badly and inconsistently that it looks like a phishing scam. But more fundamentally, consumers have no incentive to use it, since it shifts more liability onto them.
This is now compulsory for all online transactions in India. Lot of people complain about this saying its one extra step, but for me I don't mind losing a bit of usability if it can add one extra safety net.
It turns out that most of the security of credit cards takes place after the actual transaction. It's largely done by using software to look for transactions that look somehow wrong, or by reversing charges when you look at your bill at the end of the month and see an obviously incorrect charge.
The point is that the system has effectively figured out that they can't make a system that is both sufficiently secure and sufficiently convenient in just a card, so it instead accepts that numbers will be stolen and tries to minimize the damage.
In Sweden we have a system of one-time-use e-cards, for some cards (in my case Visa and Swedbank) where you cannot pay with your physical card online. You specify the amount that should be available, and by default it's valid only one month. Additionally it's easy to copy+paste.
I find this solution easier than being redirected to my bank (which is sometimes also an option).
a system that basically needs an attacker to just see'n'remember both sides of your card (that you need to keep with you and not is safe) in order be able pay with your money until the card gets disabled or expires.
i noticed in the US people use it to pay by phone, and shops tend to keep that data for convenient repeat purchases.
i need a card for payments online and visits outside europe (especially visits to the US). i'm glad that i have one for those occasions, but i cannot say i think it is a safe system -- it is also constantly under attack.
in the netherlands there's a payment system that most-if-not-all webshops are subscribing to. it redirect you from the shop to the internet banking app of your own bank, there you pay (with some 2-factor kind of authentication), after which you're redirected back. i cannot help feeling a lot safer. :)