Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
Send people to the website to find your number, idiots.
Spirit of the law: [ ]
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
I've never heard of this, I'm very curious.
Talk about training people to give away sensitive data.
Edit: changed Klarna to Sofort
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
You should have looked up the ssa site and found the number that way.
Why has some startup not solved this problem already?
It is many problems with many solutions.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
Super simple but probably costs some money to develop.
Any suggestions for what is better?
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
At least they support standard TOTP now. https://www.canada.ca/en/revenue-agency/services/e-services/...
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
Obviously, this is a terrible idea.
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
They may sign you out automatically if you connect from a different country.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
-s
Of course, that breaks the UX analogy of the house key.
But, I think it would still be a challenge for many elderly for other reasons.
Also a password box that will accept more characters than the max password length.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
Of course effectively 0% of their customers actually use it, and instead rely on sms
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
Neither of those prevents somebody from stealing bicycles zo.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
ALLOWING methods X, Y or Z would be better reasoning.
If you think TD is bad, try some European countries where there's only a handful of banks...
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
As I see it, it's an unfortunate combination of an extremely risk-averse enviroment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
I'm only half trolling.
It’s almost like the various departments and make these systems don’t talk to each other.
I suspect that's a big reason for slow adoption
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
Is the answer I got.
if username == "user1" && password == "password1"
return true;
else if username == "user2" && password == "password2"
return true;
else if ...
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
Meleagris•4h ago
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
ikesau•3h ago
It's mind-boggling that this is the solution we've settled on.