@burcinc-- I don't think that identity theft usually occurs because users do not protect themselves. I think hackers have gotten very good and can get a hold of user's personal and credit card information more easily now. So it would be wrong to say that it's the users' fault. It's really the fault of the website that hasn't protected the information properly.
Of course, there are things that users can do to help reduce the likelihood of their information being stolen. You mentioned two good ones. Another one is avoiding making purchases from websites that do not have the proper security encryption in place to protect data. I personally only shop from well known, renowned websites with top notch security precautions.
There are also ways to shop without actually sharing credit card information. Using a third party payment system is a great way to do this.