How come all online VISA transactions don't have to completed through a redirect to visa.com or master.com (or may bank website), but instead we're typing card numbers into sketchy websites? (I guess EU 2FA requirements are pushing the boundary, but very slowly and often in ways that still appear remarkably sketchy).
Trust scores of IPs and phones numbers is a tool, but when physically hardened security tokens aren't widely supported, I'd argue the essential tools simply aren't available to users.
I support your argument about Yubikeys - I myself use them for any financial site that allows it. A lot of companies do use them to check for fraudulent logins. But the friction of it is high enough that companies would much rather take the loss than force their customers to authenticate every time a transaction has to be made. Also, I think until it is normalized in the industry, there is a consumer perception of physical keys being too technically difficult to obtain, set up and manage. Not to mention, all the Yubikeys in the world still don't help if one goes and gets phished/socially engineered :)
It would be trivial for sketchy websites to have fake (but real looking) "official" Visa/MC forms, or even for multiple fake "official" sites to be set up. So redirecting everyone to the One True Payment System is no solution to fraudulent websites.
It is when a bank phone app is being used as a second factor (or, when on your phone, it redirects to it). This has been used in the Netherlands for almost 2 decades[1] for online payments (iDeal) and card fraud is basically a non-issue.
[1] Before smartphones a hardware token that requires your physical card was used.
How come all online VISA transactions don't have to completed through a redirect to visa.com or master.com (or may bank website), but instead we're typing card numbers into sketchy websites? (I guess EU 2FA requirements are pushing the boundary, but very slowly and often in ways that still appear remarkably sketchy).
Trust scores of IPs and phones numbers is a tool, but when physically hardened security tokens aren't widely supported, I'd argue the essential tools simply aren't available to users.