Ah, that would definitely make a difference. A debit transaction uses some form of “password” like a PIN or the data embedded in a card chip. A credit transaction technically only relies on easily available data and sometimes a signature, much more common for fraud (it’s pretty easy to read and replicate the data from a magnetic strip–one of my classmates did a project to read magnetic strips, and they had to stop letting people swipe their own cards on it because it popped up tons of confidential data).

My CU’s website definitely looks like it’s from the early naughts, but they at least kept things up to date and security practices seemed legit, and I don’t think I ever tripped the fraud detector. I guess everyone’s mileage will vary a bit.