Furthermore even if a card is skimmed these days, at least in the UK, it’s still unlikely transactions would be processed online.
That’s because it’s become so commonplace now for transactions to pop-up in the banks app on the owners phone and they must confirm the transaction and / or receive a code via SMS. Some just use SMS as a means to confirm a transaction.
I guess one vector for attack still remains and that is SIM swapping, but even that is more difficult these days due to widespread awareness from carriers.
I mean, if they knew where you usually shop online, probably not. I generally get the popup when either:
1: Shopping somewhere for the first time
2: Certain businesses (presumably those that are more often targeted for fraud I guess?)
I bet if they tried to use a different delivery address (and the shop passed that on) it should (I think at least) trigger a security check.
In shops especially with contactless it’s very unlikely to be stopped though. But I think the bank needs to eat the contactless losses if I remember right. I do recall there’s a maximum number of contactless payments you can make in a given time before it forces chip and pin though.