I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...
A couple of times, merchants with my card on file were compromised. The thief could make charges because the merchant had to be able to as well. What would have stopped that would have been having a way to restrict a charge to a particular merchant so the attacker couldn’t have been able to get the money out.
Once, my supermarket had skimmers. A code wouldn’t have been effective unless you were very good at spotting where the thieves planted cameras, too. An active MFA prompt would help against attacks at a substantially later time but it’d have to include the merchant name in an unspoofable form to prevent real-time attacks so I wouldn’t be asked to approve charges from SAFEWAY_, and that old-fashioned style of MFA is painful: it’d always make checkout slower and you’d have some fraction of people who don’t have phones with them or just ran out of battery.
What completely solved this problem for me was the modern tap systems (ApplePay). It requires more smarts on the client but means that I have to approve each transaction and the value the card reader gets can’t be used anywhere else.
This is one of the primary use cases for privacy.com (if you are in the US). The virtual cards are either single-use only or they are merchant locked, plus you can set spending limits on the card. I use these for 100% of my online and recurring payment transactions now. The only downside is that it's linked to your bank account so it's debt transactions only, but that's not necessarily a downside to me.
This is exactly what chip and PIN does. The chip is a smart card holding keys; the PIN authorizes its use. Online, there is 3DS which can be used similarly.
We’ve had both of these tools for over 20 years now. It’s just a question of how much the industry is choosing to cater to convenience and backwards compatibility, i.e. a security/availability trade off.
In Europe, the regulator has made the choice for the industry instead.
Exactly: it’s not like this was a technological breakthrough but that companies were trying to avoid breaking backwards compatibility - not just things like the readers but backend payment systems using something like fixed length records, but also restaurants needing to stop having a single terminal used for every table (this is why they went chip and no PIN).
Going back to the original comment, that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
And even if you have peace of mind, I wonder who pays for the cost of the fraud. I would imagine the bank will just pass it over to the consumer in some fees. So a system that reduce fraud (even if can't eliminate it completely) is still better in my opinion.
