That doesn't sound like it adds any security at all to me. They call you on a number and send the SMS to the same number, so anyone with that phone can see the code and repeat it to them. At the very least they should have used a different channel.
It's worse, they call you, while in the same time they try to log in your account, only the 2FA number is missing. So they try to make you dictate the number so they can log in your account.
P.S. I don't know how Chase login happens, not a Chase customer.
IME, username + password along with an occasional and random "we don't recognize your machine" where they send a 2FA code over SMS.
Entertainingly, they seem to sniff user-agents in some way. Firefox on Linux works fine, but I tried to log in with Firefox on OpenBSD recently, and it just kicked me out suggesting I try their mobile app[0]; I tried the ungoogled-chromium package, and it worked. Apparently, this presents a FreeBSD user-agent string.
I sort of want to switch to, well, any other institution, but my family is terrified "what if there's not an ATM nearby?" Strangely, I've never had easy access to a Chase machine on any holiday or business trip I went on.
[0] I love it when they know I'm on a desktop and still encourage you to install their zippy new app. PayPal, I'm sure that iOS app has a Void package.
many smaller banks (or banks without large atm networks) offer fee reimbursements 3-5 times/month for using nonbranded atms. for most people who rarely use atms to begin with this is usually enough.
what he's saying is that the process chase is following doesn't add security, bec they're texting me a code to the same number they're calling me on, if I can answer the phone I call see a text to that phone number.
