[tialaramex]

Yeah, the technical security in all these systems is a bit half-hearted†. However, in my opinion the key is to legislate that the banks (who built or in some cases purchased said half-hearted system) eat the cost of that. Maybe they're comfortable with say $10Mpa of fraud in the system, if they really can't build a safer one for less than $10M you can see they'd have a point.

The problem comes when banks are able to argue that their half-hearted security means they aren't liable to pay for the consequences. Consumers need protecting against that.

† In the UK we have a lot of 3-D Secure, developed by Arcot. But of course the average consumer has no idea who "Arcot" are, and so no reason why they should distinguish an arcot.com site (legitimate, you're supposed to give them credentials if necessary to authenticate you) versus say badguy.example (a hypothetical phishing fraud). Both of them can show you branded imagery from your bank, both have a padlock, both claim they're keeping you safe. How should an ordinary person know?