[logicallee]

It's not either/or is it? This is something that is one of the biggest incentives to steal credentials: it is immediate, untraceable cash. (bitcoin.)

your argument is like saying a daily withdrawal limit (like $500) you can lift at any time isn't sane, because "keep your card and PIN safe" sounds a lot easier. Well, yes, but the point is your card/pin can (and does) get stolen, and so do Amazon credentials.

I just don't understand why they don't add that extra layer.

(Well, I can understand. If 98% of the clients with stolen access are huge companies that have no idea whether their charge should be $170 or $85,000 per month and are happy to pay either, then the policy might make sense to Amazon. But that doesn't seem likely, as they go out of their way to try to reach you and notify you that this might be happening. . .)

[Irish]

I wasn't making an argument but I see where you are coming from. with your bank card analogy, at least here in Ireland there is no liability on the account holder for theft or fraud anymore so even if you don't keep those things safe the bank takes the hit. That seems to be the strategy amazon is taking at the moment, if that gets too expensive for them i am sure they will invest in another layer of protection. Now that I think about it it also seems like this is an opportunity to win the loyalty of a customer. By contacting them, explaining the problem and the solution and then by waiving potentially large charges from their account without hassle they are garnering a lot of trust. Just a random thought that popped into my head