What I specifically mean by "care literally at all" : banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions. This creates sane, linear incentives: banks care 1000x more about a $100,000 fraud than a $100 fraud; they care 1000x more about a scam affecting 100 people than a scam affecting one person, etc.

Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator

https://www.reddit.com/r/CoinBase/comments/1h65zuh/account_h...

It's not linear at all. We had our identity stolen through an insurance scam (somebody used our bank account and somebody else's name to open a policy with Progressive, which apparently does not validate ACH debits). This resulted in premiums of ~$300, $300, ~$500, $1002.96, ~$900, ~$900, and ~$3000 as the attacker presumably racked up huge fraudulent claims on the insurance company. The first 3 bills were reversed by Wells Fargo because their fraud policy covers fraudulent charges under $1000. The 5th and 6th were reimbursed because they were reported within 60 days of being made (and were under the limit anyway). The 7th didn't go through because we had detected the fraud and closed the account by then. But the 4th was just over the $1000 limit that they would reimburse, and so they were like "Sorry, nope, you're on your own for that one." We even filed a police report and waved that at them, and they said "We don't care. Company policy." So the very counterintuitive and non-linear result was that they paid for the $300, $500, $900, $900, and $3000 charges, and stuck us with the $1000 one, just because it was $2.96 over their limit. (Part of me really regrets declining to prosecute, but I had a ton of other stuff going on at the time and the last thing I wanted to do was get involved in a court case.)

This is one of the main reasons I don't like crypto. If you get hacked, even if you did everything right, then you're out of luck. The funds are (generally) unrecoverable.

With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)

In my actual real world experience of digging my elderly mother out of $25,000+ of scam debt, banks do not care at all unless they can be shown to be at fault, and then they weigh the loss expense vs the likely legal expense.

> banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions

In USA, banks are actually required by law to reimburse fraudulent account activity if reported within 60 days. However, this does not cover cases where the account holder themselves made the transfers even if they were tricked into doing so.

But if someone gets your login and liquidates your bank account, in USA a least, the bank is 100% responsible for that fraud.

Credit card companies are 100% responsible for fraud regardless. Even if they try to market it as a perk "You're never responsible for unauthorized transactions". Yeah, no shit. It's the law.

yubikey is better