I doubt if any of the vendors have the faintest clue about any web security issues, they leave that to their webmasters. And, those that do think they know something about web security are probably more dangerous that those who don't; they'll be the ones sending you your password in plain text in a plain email because they think they've covered everything by doing a couple of jobs on the server.
The webmasters are mostly worse than the owners as they work to a price, and that only allows for site build and frontend site management, but they might tell the owner they've 'fixed' the security, and the owners probably believe it. Plus most of them came up from building HTML sites, and are struggling with DB-driven sites, and never took a security course anyway. The average webmaster wouldn't have a clue about XSS, SQL injection, PHP security or anything like that. Of all the dozens of webmasters and sitebuilders I know, only one or two have any clue about site security; and they aren't at the level of a specialist.
Come to that, a lot of hosts are equally blank. They have support techs who leave a phpinfo.php file in the webroot after looking at something, or tell you the server needs register_globals on.
If devs are employed they concentrate on implementing more features, they don't really know about security. When they write plugins, half of them have holes in the size of Subtropolis.
The number of
ecig vendor sites that have had a specialist security consultant work on them in the last year is unlikely to be more than 1 in 1,000. As ECF has over 2,000 vendors registered that isn't a great percentage. You basically have to accept that you'll need a unique password for every vendor site (which should be basic practice anyway), and change it every month, and use a one-time CC number. If you don't do that, it's inviting trouble, as the vendors mostly don't know anything about web commerce.
Another issue is that people think a password is something like their dog's name or whatever, so they can remember it. No one told them that:
a. If you can remember a password then it doesn't qualify as one. Real passwords are impossible to remember.
b. This is 2013 and you have 100 passwords (or should have), all completely unrelated and all gibberish. That means you have to use a password manager, all of which use encryption, so they should be reasonably safe on your PC. How many have got Roboform or Keepass etc?
c. These days you don't ever click 'Remember me' on a website that involves financial transactions and that needs a password, as it makes the browser remember it. Since many people are using Internet Exploder, it's a license for any 14-year old script kiddie to get your stuff.
So with a combination of users who know nothing about security (which is understandable, and not really their fault), and vendors who know nothing about security (which is understandable - that's why they always need a specialist security consultant) - but who don't employ a specialist, we are bound to have frauds occurring constantly. No way round it. It's everyone's fault, or no one's fault, depending on your viewpoint.
The individual can certainly protect themselves but most can't be bothered. How many use a one-time CC number?
The web is the new wild west and it's a rich playground for a criminal coder. Even people you'd expect to have things locked up tight are sometimes wide open. The spotty kid from Dagenham or somewhere who hacked into the Pentagon's computers and left messages about alien spacecraft, and who the US are trying to extradite from the UK, when asked if it was hard, said: "It was ridiculously easy".