Why are banks still getting authentication so wrong?
223 comments
·May 13, 2025bryanlarsen
fkyoureadthedoc
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
lxgr
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
SoftTalker
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
FireBeyond
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
bigfatkitten
Sounds like the sort of thing Hireright would do.
eptcyka
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
airstrike
Same for SSNs
viewtransform
What we need instead is an orb like thing that scans your eyeballs.
anon7000
I mean this is basically the ENTIRE US health system
kube-system
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
LtWorf
Healthcare in USA is famous for many things, but making sense is not one of them.
bee_rider
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
Yizahi
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
lanstin
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
dfxm12
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
wodenokoto
When calling my bank I have to enter my entire CC number AND my PIN code.
Talk about training people to give away sensitive data.
fn-mote
> When calling my bank I have to enter my entire CC number AND my PIN code.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
g_p
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
ssl232
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Edit: changed Klarna to Sofort
TuxPowered
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
howard941
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
ted_dunning
Googling a scammers phone number often lands you on a site that looks just like the real thing.
You should have looked up the ssa site and found the number that way.
howard941
Good point
awesome_dude
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
hinkley
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
kokonoko
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
signal11
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
delfinom
It's not inertia. In my big corpo's case, it's because the cybersecurity insurer is refusing to follow NIST.
technion
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
Geebs
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
newhotelowner
Our hotel franchise requires us to change the password every month. We can't use the last 6-8 passwords.
bluGill
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
rrr_oh_man
Password manager ftw
pc86
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
brazzy
NIST only changed that recommendation last year. Expect that update to take at least 10 years to percolate through institutions like banks.
GuB-42
This recommendation dates back from 2017.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
jermaustin1
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
lenerdenator
Well, let's do the cost-benefit analysis here.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
chvid
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
k4rli
This yet another USA defaultism post.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
snowwrestler
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
chvid
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
kortilla
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
einarfd
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company. While I personally think that in principle it should be run by the government. It works well enough, and it is imo. proof that it does not have to be run by the government.
Muromec
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
Brybry
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
Workaccount2
In the US you don't need to have any form of ID. Your life will be very difficult, but you don't legally need it. ID is an optional service here.
riffraff
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database. It'll probably be phased out at some point, but it's quite cool.
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
sneak
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
stef25
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Dylan16807
If it's easy enough to connect such an ID with arbitrary companies, I don't trust US privacy laws to prevent them from requiring it.
layer8
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
kortilla
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
hosteur
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
einarfd
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people. The pricing model didn't make that look like a reasonable choice. While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
patja
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
mixmastamyk
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
gtkspert
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
sedatk
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
sir_brickalot
Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
kube-system
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
dfxm12
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
gruez
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
speckx
I was surprised that Bank of America still does SMS based 2FA.
dmoy
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.
Of course effectively 0% of their customers actually use it, and instead rely on sms
charcircuit
Why would a bank care about money laundering?
Muromec
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
rs186
I think you can easily answer that question yourself by doing a simple search.
hiatus
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
jszymborski
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
josephthejoe
It's a long-complicated story but it essentially boils down to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act
gruez
If they're not seen as doing enough, they can be fined by regulators.
comrade1234
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
fullstop
Banks in the US sometimes support U2F, but you can never disable SMS. Maybe one day.
notpushkin
Would be nice if they could do email instead.
FredFS456
Zurich Kantonalbank (ZKB) has a very similar system, probably because they're also a big bank in Switzerland
Huntsecker
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
pixelesque
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
p0w3n3d
while working for UBS (outside of Switzerland) i believe I had to use the same card, but oh boy it's expensive.
Phui3ferubus
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
creer
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
878654Tom
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
Detrytus
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
creer
Plus the "app" was written by clowns and doesn't really work for any reasonable idea of "work".
Meleagris
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
ikesau
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
warrenski
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
fn-mote
> I'd much rather delete the apps, unlink my devices from my account and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
agentultra
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
noleary
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
taco_emoji
> People really don't understand passkeys
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
kortilla
One of the “features” of a passkey is that you can’t point to it. It’s a fucking nightmare
idontcareatall
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
bberenberg
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.