Confirming online debit and credit card payments with a one-time password has become a standard practice in the EU. These solutions are also available in the US, are they not being adopted by banks there?
It's not just in Europe, even here in West Africa OTPs (and hardware tokens) have been standard practice for years. I always feel weirdly unsafe interacting with US-based companies/payment processors.