You are missing the point. You expect that you are interacting with the bank but the average person has no way to verify this. They are just conditioned to type their bank password into a random site after their credit card number.

A malicious site could just put up a box that looks like the bank's regular authentication page and skim the extra authentication. Either replaying OTPs or capturing other credentials. Unless you used the developer functions of your browser to check the iframe URL there is no way to tell the difference between a real 3D Secure page and a phishing clone.