Furthermore even if a card is skimmed these days, at least in the UK, it’s still unlikely transactions would be processed online.
That’s because it’s become so commonplace now for transactions to pop-up in the banks app on the owners phone and they must confirm the transaction and / or receive a code via SMS. Some just use SMS as a means to confirm a transaction.
I guess one vector for attack still remains and that is SIM swapping, but even that is more difficult these days due to widespread awareness from carriers.
I just replied this to the parent comment.