So point by point:
1. Stealing a credit card number, ccv, expiry, and name shouldn't be game over. It is because businesses want to reduce friction for customer purchases. If card not present transactions required a second step of verification, for example, multi-factor authentication, it would drastically reduce this type of fraud. Unfortunately it would also increase friction for online purchases, which is why everyone in the card processing chain is looking to shift liability away from themselves.
2. That is not the customers fault. Full stop. Yes, some sites are more shady than others, but there is nothing a consumer can do to determine if a service provider will get hacked.
3. Yes. Unfortunately, phishing is really easy. Despite the prevalence of this attack, training users to effectively detect and avoid being a victim is almost impossible.
4. See #3.
5. See #2.
6. How is a customer supposed to validate the security of an ATM against modern skimming technology, many of which are virtually indistinguishable from normal bank machines.
7. Yep, not great. Why don't banks require 2FA? Because it creates friction and increases costs. Better to just externalize the risk.
Your entire blame the user argument is bunk that has been packaged up and recirculated by the finance community for almost 20 years (and I have been using these arguments against them for nearly that long, granted it's close to ~12 years since I worked in infosec at a bank).
2. That is not the customers fault. Full stop. Yes, some sites are more shady than others, but there is nothing a consumer can do to determine if a service provider will get hacked.
3. Yes. Unfortunately, phishing is really easy. Despite the prevalence of this attack, training users to effectively detect and avoid being a victim is almost impossible.
4. See #3.
5. See #2.
6. How is a customer supposed to validate the security of an ATM against modern skimming technology, many of which are virtually indistinguishable from normal bank machines.
7. Yep, not great. Why don't banks require 2FA? Because it creates friction and increases costs. Better to just externalize the risk.
Your entire blame the user argument is bunk that has been packaged up and recirculated by the finance community for almost 20 years (and I have been using these arguments against them for nearly that long, granted it's close to ~12 years since I worked in infosec at a bank).