Oh. I was actually being sarcastic.
Dont be scarcastic, didnt you know its the lowest form of wit.
This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to?
You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.
If they both make that promise, what does the consumer gain from the device?
You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public but also the lack of faith in a inherently superior and more cost effective method, ie banking online instead of going to a branch.
And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.
Please define your vulnerability. If you are talking about the banks servers themselves being attacked I believe it is very very rare and it would be good if you could provide a reference. The vast majority of trojan cyber crime which is the issue here is performed against the users not the banks backend servers.
Cobol programmers are down in the dumps.