Of course the card number is on the card itself. You need it for a whole lot of things, ranging from online transactions to ordering pizza. If you can't keep the physical card secure, that's your problem.
My point is that anyone who has accepted payment from me will automatically have my name, card issuer's name and card number on file (and possibly my email address too if they were an online merchant), so claiming that I can authenticate an email proporting to come from my card issuer by checking that my name and the last 4 digits of the card number are quoted in it is patently bullshit (the vendor does not need physical access to the card to get this information - you have to give them exactly this information in order to make a transaction). Even using the bank account number, rather than the card number would be risky since this information is also available to retailers who have accepted my card.
This isn't about "keeping the physical card secure", this is about the banks making their emails actually authenticatable rather than implementing some security theatre that does nothing but give people a false sense of security.
I'm not so keen on having the bank account number on it, but it follows the same general principal - if someone has physical access to your card, they aren't going to be able to do any worse with that extra information than the card itself. Think about it - it's a debit card attached to a bank account. At least in the US, you can run a debit card as a credit card (requiring a signature instead of a PIN), and it gets processed under credit transaction fees, but it still just draws from the bank account.
Please go back and read the whole thread - none of this discussion was about making fraudulent debit/credit card transactions; this was about banks using trivially obtainable information, such as credit card numbers, post codes, etc. in an insecure attempt to allow the customer to authenticate an email, rather than using a strong cryptographic signature that the email client can verify (which, seemingly contrarary to general belief on slashdot, *is* standardised in the form of S/MIME).
They aren't going to be able to access other information about the account, like the balance, online or elsewhere without detailed personal information like answers to security questions anyway, so your damage is limited to whatever they charge up in person.
This is precisely the point - they are able to access other information by virtue of phishing. The banks are sending out legitimate emails with links to web pages on domains that aren't the bank's main domain, that ask for authentication credentials and telling the recipient that its all perfectly safe because they can authenticate the email by checking that some trivial information (last 4 digits of CC number, post code, etc.) is in it. If you want to gain access to someone's bank account, all you need to do is:
1. Obtain access to the customer database on some retailer's website (this seems to happen with reasonable frequency anyway).
2. Register a domain that looks almost-but-not-quite like a bank's domain (e.g. register mybankonline.com if you're targetting mybank.com customers).
3. Build a website on the mybankonline.com domain that looks like mybank.com's website, including authentic looking login pages that will collect a user's login details.
4. From the database obtained in (1), pick out all the email addresses, post codes and card numbers of people who have a card issued by mybank.com.
5. Send out authentic looking emails to the email addresses you found in (4), remembering to include their post code and the last 4 digits of their credit card number in the email. Include a "log in" link that points at your fake website. Remember to add some friendly information to the email along the lines of "So you know that emails we send are genuinely from us, we will always quote the last 4 digits of your account number." (*)
6. Sit back and wait for the credentials to roll in, because there is absolutely *nothing* the user could do to tell this apart from the legitimate emails the banks are sending out. You've now gained access to the accounts of rather a lot of customers.
(* This text was taken from a real legitimate email from Capital One. Other banks do similar).
Again, please go back and read the thread - you seem to be replying to a conversation that we are not having rather than the one we are...