The complaint should go to the Office of the Comptroller of the Currency (Chase’s primary regulator) + the Consumer Financial Protection Bureau (their consumer regulator if you’re a non-business account) + the media, not to the branch manager. I doubt the branch manager has any control over this policy or any way to communicate your frustrations to anywhere with power to act on them.

That said, maybe they’ve fixed this since it happened to you: as of 2023, Chase’s Sapphire credit card department seems to be able to verify my transactions as legitimate or fraudulent and complete my live identification to a customer service representative without replicating your experience. They allow me to validate transactions by replying to email or SMS notifications which mention the specific transaction, and they can involve their mobile app in attempts to live verify my identity.

> That said, maybe they’ve fixed this since it happened to you: as of 2023, Chase’s Sapphire credit card department seems to be able to verify my transactions as legitimate or fraudulent and complete my live identification to a customer service representative without replicating your experience. They allow me to validate transactions by replying to email or SMS notifications which mention the specific transaction, and they can involve their mobile app in attempts to live verify my identity.

So, that was all possible back then too, this was specifically for an attempted ACH transaction between my chase account and my discover account, it was a large amount of money and chase didn't think I was the one who initiated the tx even though I'd already verified the other account in chase. they were concerned my actual account was hacked... in that case, as others have said calling a phone number and then sending a text to that same number doesn't add any additional verification for them, if I can answer the phone call I can see the text. Obv, if they suspect my account was hacked there really isn't a way to verify using any of the existing account info.

This is how my bank handles it as well. I just get a text with the charge line and amount, and it prompts me to reply either YES or NO (or maybe STOP, it's been a while). If I say YES or STOP, it stops payment and prompts me to call whatever the department for that is with a phone number.

It seems to also hint to their fraud system. I think the last one I got was when I was traveling, and it quit asking if the charges were authentic after the first couple.

Probably not "STOP" since that's a reserved message in SMS that tells bots to stop messaging you entirely.

HSBC does this, it's Y/N for them as far as I remember. Accidentally put N one time and found they cancelled my CC. Was super annoying bc I had to wait for a new one to arrive but I guess a scorched earth policy is good (esp when they're liable for fraudulent use).

Are you sure it was really a Chase representative on the phone with you? It’s sometimes possible to cause an account to be locked without being able to log in by doing too many login attempts.

That was the point of his concern - he was being middlemanned for his 2FA.

Yea, I’m like 90% sure it was a chase rep in the end, based on what the in branch people were saying. Though it sounded like it was someone in a local office and not part of a large call center team.

> Really what we need is reverse 2FA

No. What we really need is a mutual authentication, where both parties talking over a phone can confirm each other's identity simultaneously, as a part of a single process (assuming a previously established secret(s)). Ideally, with a piece of human-readable metadata attached to it that describes the purpose of authentication.

So banks no longer ask you to read back a SMS, and you no longer guess if that's legit and you both know what this authentication is for (spelled out in a natural language).

If you have Internet connectivity, it should use it to perform all the communications, leaving both sides with a simple interface (as simple as tapping "confirm" or "reject"), and if Internet isn't available it should provide an ability to still perform the protocol by reading some phrases and typing in what you hear back.

You did the right thing.

I don't even have two forms of photo ID. I think I would just leave to another bank immediately if it was an option

Some financial institutions are bizarrely inept when it comes to security.

I had one once that had an authentication question in their phone banking script that asked how a certain system was set up, option A or option B. Given that I was calling to set up that exact system, neither answer made sense. The agent I was speaking to was seemingly unable to comprehend this, and I got sent to a branch having failed the ID check.

I went to my local branch with enough ID bearing photos and recent addresses to pass all the usual KYC/AML checks to open a new facility at any major financial institution in my country. Having explained the situation and showed that ID to a bemused but sympathetic member of staff, they called their magic phone number to speak to the relevant team, gave their staff credentials, and confirmed that I was present in person with them and they had personally verified my ID. They were then transferred to apparently the same phone system I’d called from home myself, which got stuck at exactly the same ID check.

Didn’t stay there long, though longer than the place whose “security team” called me and started the conversation with, “Good morning, I’m calling from the security team at (my bank). Before I can talk to you any further, I need to verify some personal details to confirm your identity. Can you please tell me (the top three things I’d need to know if I were an identity thief and wanted to impersonate you with other services)?” I particularly liked the anonymous phone number they were calling from. And in case anyone’s wondering, I did call the bank back at one of their public phone numbers, and they confirmed that the call I’d rejected was from them.

As much as I tend to agree with you, people who have loans, particularly mortgages, which are frequently traded amongst financial institutions, are locked in to a particular company like it or not.

But for retail banking, supposing you actually have the option, yes, absolutely.

> people who have loans, particularly mortgages, which are frequently traded amongst financial institutions, are locked in to a particular company like it or not

When we got the mortgage for our house, we went out of our way to arrange it with a bank with which we had (and have since had) no other dealings.

Result: Our "mortgage bank" has no insight into our day-to-day finances. Our "day-to-day bank" has no insight into our mortgage.

That works until they sell your mortgage to someone else, a process that you have zero control over.

There are certain banks out there that don't sell your mortgage. The bank I have my mortgage through is one of those. Admittedly, they're kind of rare, but do exist.

I think many people in the US have a state ID/DL and a passport, these days with TSA Precheck/global entry often people have a fed ID card as well.

This is accurate. One would expect a lot better from the fraud department of such a major bank but here we are... Their phone calls are almost indistinguishable from phishing attacks.

I usually politely tell them that I am going to hang up and reach their fraud department through the phone number on their website. I never had my account locked.

Let's assume that whoever you're talking to is either really with the bank or some crook who does not have access to any of your banking information.

You can simply ask the crook to name the amounts and descriptions of the last several transactions in your primary checking account. Or the statement amount of your most recent credit card bill on a particular card.

I've done this kind of thing before when I've received calls.

Sometimes gets weird reactions from the caller but they usually comply.

IMO we need the certs / public key / TLS stuff for phone calls essentially.[1] I call them, they challenge me to prove my identity by enc/sig something in a way only i can, then they have to do the same with both their organizational identity, but also their employee identity (it's an authorized activity on behalf of the bank, and of that person). We've need this kind of thing, and a replacement for Social Security Numbers / Social Insurance Number (or other similar national identities)

[1]: (I'm probably mixing up some of the crypto specifics here, but hopefully a crypto expert can chime in and straighten them out)

I'm almost positive there are governments around the world that issue citizens smartcards for access to services.

Unfortunately in the US it’s a nonstarter because of the perceived privacy issues. People cannot wrap their heads around the fact that we already have a mandatory national ID, and therefore oppose what they see as the creation of one.

The core argument essentially boils down to the fact that they never use their social security number, therefore it’s not an id. Which is obviously incorrect for a number of reasons, but here we are.

The only real solution here is for the problem to get so bad that the angry majority overrules the loud but uninformed nut bars.

That doesn't sound like it adds any security at all to me. They call you on a number and send the SMS to the same number, so anyone with that phone can see the code and repeat it to them. At the very least they should have used a different channel.

It's worse, they call you, while in the same time they try to log in your account, only the 2FA number is missing. So they try to make you dictate the number so they can log in your account.

P.S. I don't know how Chase login happens, not a Chase customer.

IME, username + password along with an occasional and random "we don't recognize your machine" where they send a 2FA code over SMS.

Entertainingly, they seem to sniff user-agents in some way. Firefox on Linux works fine, but I tried to log in with Firefox on OpenBSD recently, and it just kicked me out suggesting I try their mobile app[0]; I tried the ungoogled-chromium package, and it worked. Apparently, this presents a FreeBSD user-agent string.

I sort of want to switch to, well, any other institution, but my family is terrified "what if there's not an ATM nearby?" Strangely, I've never had easy access to a Chase machine on any holiday or business trip I went on.

[0] I love it when they know I'm on a desktop and still encourage you to install their zippy new app. PayPal, I'm sure that iOS app has a Void package.

many smaller banks (or banks without large atm networks) offer fee reimbursements 3-5 times/month for using nonbranded atms. for most people who rarely use atms to begin with this is usually enough.

what he's saying is that the process chase is following doesn't add security, bec they're texting me a code to the same number they're calling me on, if I can answer the phone I call see a text to that phone number.