[lxgr]

> Seems like an absolutely rare edge case to me.

Bank and payment card transactions are arguably a pretty big part of everyday life to most people.

> I doubt there is a law that says that.

Reg E/Z in the US and PSD2 in the EU pretty firmly put the burden for these types of situations/losses on the bank/PSP. They don't specifically mandate the "how", but for better or worse, industry perception and common practice is for that to include root detection, blocking VoIP numbers from receiving SMS-OTPs etc.

> That means the law should be changed.

The law that makes banks liable for most cases of account compromise? I'm actually quite happy with that, even if it comes with some unfortunate externalities.