I give my credit card company a substantial amount of money by using the card and letting them collect fees for the transaction. For that consideration, I leave it up to them to dictate what should be done about fraud. If they want me to use a different card number for every vendor or transaction, I would, but they don't. It isn't where the fraud is.

With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?