Why do we hold Internet security systems to a high standard that no offline system has ever met?
But it’s not so much that the standard is higher as that it’s different. Â Counterfeiting and theft are risks for physical currency that don’t even make sense for some forms of electronic payments. Â To counterfeit a credit card, you’d have to suborn a payment-processing system. Â A physical credit card can be stolen but the underlying account is what’s actually of value; the account holder generally indemnified against fraud.
Contrariwise nobody has to defend against distributed physical attack – 100,000 home invasions aimed at stealing credit card information – because it’s only practical to mount such an attack  electronically.
The real problem, I’d say, is that our cultural and social systems adapt more slowly than technology changes. Â For a simple example, consider that while personal accounts are insured against unauthorized debits, business accounts are not. Â Since individual small businesses are on the hook for losses due to stolen credentials, enforcement efforts are weaker — effectively, banks and their insurers have chased the crooks out of consumer accounts and into business accounts.
Furthermore the cost of running electronic attacks is often very low, so the threat model for online security has to take account of even very low-payoff attacks.  This includes the classic salami attack and statistical attacks on credit card numbers.
 One reason Starbucks doesn’t use two-phase commit is that the cost of screwing up a coffee order is on the order of pennies.  A Starbuck’s that’s open for 14 hours making two drinks a minute only makes 1680 drinks.  Even with a 100% loss rate, at 10c a drink that’s only $168.  If the cost of screwing up a financial transaction is $0.0001, but the transaction can be attempted hundreds of thousands of times per minute, that’s already unacceptable.
And you are, of course, correct.
Just to flesh things out, let me give you the backstory behind my comment. I was returning from the NYC DMV, where I had been told that it would *not* be possible for me to exchange my OR driver’s license for a NY one, because while I did have my Social Security card (perhaps the most fake-able government ID ever made) I did not have my birth certificate (the other contender for most fake-able government document). I did, of course, have an unexpired license from another state and multiple other cards with my picture and signature on them, but without the top two least secure documents in my hands, I would not be allowed to switch states.
This led me to thinking about why they were requiring these documents (I still kind of don’t know – the SSN makes sense because they are using the SSA as a proxy to generate a unique ID for each person, but why the birth certificate?) and what these rules were designed to accomplish. And then I thought about how I could totally get a fake driver’s license with just an inkjet printer. A level of insecurity which would be laughed out of the room in the digital world. Anyhow, so that’s the backstory: Peter got smacked down by a bureaucracy for missing a very falsifiable piece of paper. Which led to grumpy tweeting on the bus to work.