"I believe that proper real-time monitoring of the system could have prevented most of the attack..."
As someone who has worked in the Card Fraud industry, I can assure you that it is a requirement for every card processor to use real time monitoring software for the prevention of fraud. Visa/Mastercard/etc demand it if you want their logo on the card. The amount of money prevented from fraudulent activity over the past 10 years has dropped very, very significantly. $9 mill on this would be a drop in the bucket in the 90s for some banks. Interestingly this is something that can be worked in to financial institution's budgets as a type of expense/liability.
Here's the problem with realtime monitoring in its current breadth and depth. It can only process and monitor suspect transaction where either the card issuer (the bank of the card user) or acquirer (the bank of the place making the transaction). issuer approvals happen in near-realtime. They have to, otherwise we'd all be waiting at a checkout for hours/days to get approval on the payment. Where banks can fall short, is they are all very much to themselves with their data. Rightly so, this also really, really slows up the ability to share data. Factor in each various country's data protection laws, and this is simply unattainable for some (the UK for example, does not share data just because it'd be nice to do so).
On top of that, there is a bit of a schizm as to whether neural networks or rule-based (human-created manual rules for detection) are the 'best' approach to catch and prevent fraud.
A more recent push, for PCI-DSS enforces encryption of certain data, and to verify that it's done. So I ask you the question, is it the fraud monitoring here, or the security failure and weak encryption allowing this group to legitimize the transactions? It goes back to your original statement that secure design and implementation are the solution.. I'd like to add one-time passwords on to that list.
Lastly, for 'proper' realtime monitoring is a bit of a throw away comment. Take the amount of credit card transaction a day (let's say 3 million) and 1% of those are fradulant (how do we do this properly again?) which means we have to find 30,000 transactions that could cost us money. For 50 people at say, $40,000 a year to find 30,000 fradulent transactions a day would cost say... $2 million annually. So if they caught 'every' fraudulent transaction, then that is a $1 million saving. But realistically, is 50 people enough? how about 500? Now lets make this operation 24 hours, plus office space, equipment, etcetera. At the end of it all, there has to be a line where money spent preventing fraud has a return on its investment (within reason).