Okay, looking at it from the bank's perspective, they have no way of knowing who committed the crime. The person logged into his/her jumia/aliexpress account and changed his card details to yours then made a purchase. As far as the bank is concerned, that was you. The only way to know the person is if the bank formally asks the e-commerce platform(s) for that info. If the sites have serious privacy measures, they'll most likely decline. That's why I've always wondered why banks don't ask for a PIN before completing an online purchase, like you enter when using an ATM. That would eliminate 95% of this fraud. As things stand, all I need to do is take a photo of someone else's atm and I can successfully use it to buy things. That's a serious security lapse.