[lxgr]

> But, can't you say the same thing about a credit card? Heck, you don't even need a password for that; everything you need is right on the card.

It being replicated widely (see also: SSNs) doesn't make the "account number as a bearer authentication token" approach any less insane!

I believe that the only way to get some momentum in getting away from this unfortunate situation would be regulatory intervention – using market forces alone, convenience and inertia will just inevitably punish whoever moves first by introducing even the slightest amount of friction.

Otherwise, the US would already have PINs for POS payments and 3DS challenges for online payments using credit and debit cards.