We have two choices: Go to the expense and trouble of redesigning the solution knowing that whatever we do is unlikely to solve the problem perfectly (thus leaving a small but real margin of risk), or devise a workaround as Commonwealth Bank has done (if you can call asking staff to be more vigilant a workaround) and face larger losses but avoid the huge costs associated with a redesign.

In the case of ATMs there's also consumer confidence to consider, but most consumers are blissfully unaware of the issues or just don't care. Some banks are exploring use of one time codes generated by handheld devices that would thwart the skimming/capturing problem, but devices can be easily lost and it would be yet another gizmo you would have to carry.

This ATM security issue is exactly like many other IT security problems in that there is no "best solution", there is only a solution that is less ugly than the alternatives.