Right, and so the trade-off seems completely reasonable to me.
If the bank has calculated that extra fraud costs less than the price mitigating it with additional security measures, and it is the one bearing the cost either way, then power to them!
I'm not sure I understand this. Fraud, and cleaning up after it, is not free of cost. If anything, fraud is more insidious because it costs the one thing I can't replace, which is time.
Even for me--someone who has multiple payment cards, primarily uses credit (instead of debit), a healthy savings account, and a flexible job--cleaning up from a stolen credit card number takes two or three hours at a minimum. For someone who does not have those things, particularly for people who primarily use debit cards[0], the impact is far worse.
If we swapped our cards to simply require a PIN that's validated by the chip on the card (so that in-person charges without the proper PIN cannot complete, even if the card is shimmed), that removes the bulk of in-person fraud attempts. But US banks are, largely, so fearful of customers switching away from them at even the slightest provocation, we don't get PINs. So I'm forced to ask what other "basic" measures (like 3D Secure for online transactions) we lack.
0 - I don't want to hear the rebuttal that "well, people should just use credit cards." There are a hundred different reasons why people don't use credit cards--don't qualify for one, have an objection to debt, past bad experience, and so on--and we cannot write off people who "only" use debit from security measures.
Overall, debit cards make much more sense than credit. Their purpose is just to move money across accounts, not to entice you to overspend and then prey on you if you forget the magic dance, or datamine your spending patterns. There is no intrinsic reason for credit cards to be safer.
This completely ignores the amount of worry and frustration which an ordinary person has to go through to get back to the point that only the bank are out of pocket. It's not trivial by any means.
You could also make an argument that by continuing to allow this fraud to happen we're funding all kinds of nasty people. I'm not convinced the argument holds water since bad guys are often faster to move than the banks but it's worth noting.
It’s a systemic issue. In jurisdictions where banks cannot shift the risk to the customers, they tend to be more effective.
In the few European countries I know, banks are very pro-active about card fraud and refund without asking questions if fraud happens anyway.
Nasty people will get funded anyway, but reducing fraud also reduces their income. The main drawback is that people have to use their PIN (and even that is getting rare thanks to contactless cards).
If the bank has calculated that extra fraud costs less than the price mitigating it with additional security measures, and it is the one bearing the cost either way, then power to them!