The supreme court of Norway just denied an appeal from a bank on a similar case in Norway. The person had been phished over a telephone call, and gave away passwords and 2fa token to what they believed was a bank employee.
In Turkey, 2FA tokens for banks generated by app or sent by SMS all contain a message about never giving the token or your password to a bank employee...
so if Norwegian banks did the same as Turkish banks, the customer is now fully liable for doing the exact opposite of what they've been explicitly told never to do by the warning clause accompanying each 2FA message
Not how the law works here - you're always liable in either case, but it is hoped that the message might prevent some cases of fraud.
It's difficult to secure people against social engineering...