“Check out my debit card!” Or: why people make bad security choices
But then we started using credit cards remotely, first by making payments over the telephone and later for use over computer networks. Neither physical possession of the cards nor a signature on paper could be used for authentication any more. So the card numbers themselves, along with the three digit security (CVV), codes became the means of authentication. As with Social Security numbers, we ended up using a piece of information for authentication that was never designed to be used that way.
A great post on Identification vs. Authentication, and why it’s unclear to some people, how credit cards and the like work.