[mcv]

A pin is just a very short password. A bank using only a password would of course be ridiculously negligent. All banks I'm familiar with use 2 levels of authorization: 1 to log in, 1 to authorize payment.

I have 2 bank accounts. One with ING (a major Dutch/international bank), which uses a password (without special characters unfortunately) to log in, and an authorization code to authorize payment. In my case, that authorization code comes from a piece of paper with a bunch of one-time codes on it. This is an old system that dates back to when you called them directly by modem, rather than over internet. Nowadays I could also have the code sent to my phone. But phones can also be stolen, so I don't see the point.

My other account (at Triodos, a much smaller Dutch bank) uses a pin + hardware token at both stages. I wouldn't also having a ridiculously long password there.

[aianus]

All of the bank accounts I have in Canada let me send $2000 with nothing but a password. They also won't let me use non-alphanumeric passwords and don't support any two-factor authentication. Same in the US.

Of course, if anyone did try to steal my money this way, the bank would reverse the transfer and give it back to me.

[mcv]

Sounds very insecure for a bank. Will they really automatically reverse any transfer you object to? What if they don't control the target account? What if there's no money on the other account anymore? What if it was a legitimate payment, you got what you ordered, and then you had the payment reversed?

I see a big hornet's nest of potential problems in a system like that.

[aianus]

I guess they try to pull it back and if it's not possible they eat the cost. I imagine any bank that tried to force people to use 2FA and/or get rid of the zero-liability policy would lose a lot of customers.