I have such immense disdain for Capital One and MasterCard for how they implement 3DS.
I have been in Germany for 6 weeks. I have spent thousands of dollars between flights, train tickets, and hotels. Guess what I have to do every, single, time I buy a 3EUR train ticket? Receive an SMS on my American cellphone number.
Their "solution" is to have a family member in the US add their number to my account, wake up in the middle of the night and relay TOTP codes to me. FOR A 3EUR TRAIN TICKET. Multiple times a day. From the same damn train company.
I'm willing to pay $1000 yearly fee for a competent credit card company that sends me TOTPs over Email (just like they send me charges [but of course, not refunds/canceled-authorizations]). Or let's me use a Security Key.
The funny thing is, they happily text these codes to VOIP SMS numbers, which I can (and do) route to my email anyway.
It's abusrd that my Xbox account is both more secure and less annoying to use than my credit card. Again, for a 3EUR train ticket. I feel like we're slowly entering this dystopia Kafque-esk nightmare, and yet, as always, there's people in the comments here insisting this is fine, or that I deserve it.
I'm going to assume the people saying "use cash" have never set foot into the real world. Yes, let me put cash into the non-existent train ticket machines, or to the non-existent train attendants. In the 3 minutes I have before my train comes.
Not the same (it’s a debit card), but when Schwab locked my debit card after I tried to buy a transport pass in Poland, a quick phone call got me a human who apologized, put a travel alert on my account, and gave me $50 for the inconvenience.
As for C1, they updated the app while I was in Ukraine, and it wouldn’t even let me log in; I had to use a VPN.
If Schwab would fix their account security to allow plain TOTP instead of the scam that is Symantec VIP, I would have nothing but good... well, there was the two times, yes, two times in a month that I had to spend hours on the phone telling them to stop letting people randomly transfer securities into my account without my consent. They assured me that (1) it would be illegal for me to refuse the request to take back the money and (2) that I could not block future transfers-in from happening and they could not implement a system requiring my authorization before such transfers. The clawback letter from the originating bank even pointed out that they hadn't noticed until I raised flags.
I loathe American financial companies, mostly because they all seem rankly incompetent.
> If Schwab would fix their account security to allow plain TOTP instead of the scam that is Symantec VIP
Symantec VIP is just TOTP with a proprietary app/enrollment process. It has been reverse engineered [1], allowing you to use any TOTP app. I have been accessing Schwab and other banking sites this way for years.
I know, and I still resent them for making me run Python. Hell, even Ameriprise got their act together and has support for plain TOTP. I about fell out of my chair when I saw that.
Interesting. I was considering opening a second account specifically as a backup card and hedge against lockouts while travelling, and Schwab was high on my list, but it sounds like based on your experience that they are not fit for purpose.
The way it was explained to me is that this (a glorfied Excel sheet of transfers that get executed at a certain hour of each day) is just how intra-bank securities transfers work and that I mostly got unlucky that (1) the intended recipient was at Schwab (2) whoever was doing these transfers has dyslexia and my account was a number transpose off.
For the most part, their customer support has been excellent. I had an ATM in France eat a card, and so I infact have two bank accounts with them. They refund ATM fees, have never given me a hard time about international withdrawals, do support TOTP, albeit in a round-about way, send very prompt email alerts with customizable thresholds. Of all the banks I've had, I'm most happy with them. Just consider if you need access to a physical branch. Luckily, despite my whining, my needs are rather simple.
I've used Schwab for 11 years and nobody has ever transferred securities into my account without my request. My biggest complaint is not supporting U2F/WebAuthn/Passkeys. My second biggest complaint is that their brokerage billpay was extremely broken and always locked me out of my account. That was always a "call support" type situation. But... they fixed that! They knew the system was bad, so they replaced it with one that's not bad.
In general, I think they have done a fine job. I have worked with them to transfer in old 401(k) accounts. I used a wire transfer out of Schwab to buy my apartment, which cleared in less than a minute. I have called support and they have been helpful and efficient. I really don't have any complaints.
Get a Google Voice account to accept the SMSes for you, it's free and Capital One will complain about the number but accept it.
I permanently live overseas but with US bank accounts and cards, and all my cards go through cycles and phases. Sometimes they want to send SMSes for months to verify account access, then they stop. Same for transactions. Some will refuse to work on Amazon.de for months, then start working. Some physical cards will work on contactless terminals then completely stop working or become unreliable. (The workaround is to add them to Google Wallet).
One interesting thing is that even when banks insist you notify them that you're OS, if you keep using your card OS they will just accept it and ignore the period you've stated as being OS.
I was one of Google Voice's first customers, then a Fi customer, they horribly mistreated, left me stranded in unknown-to-me areas with no functioning service and basically told me... not nice things. Then, told me their systems could transfer my number from Fi back to Voice. So, no, I'll go with my home-made solution, Telnyx has been amazing. They (1) manually gave me an account with a Gmail address, (2) fixed their HCaptcha-before-2FA login bug for me, (3) tracked down and blocked spammers for me multiple times now, and I'm probably the tiniest customer they have. And they're not Google.
And here I am trying to give Capital One some good faith. I've called them three times since I've been here and they insist that MasterCard forces them to do this.
Just reaffirms my suspicions that I need to shop around. I'm traveling and putting enough money on this card to start looking at ones that actually charge a fee and have decent "rewbates", I mean "rewards".
Less sarcastically, thanks for the heads up. I'd be greatful for any other hints of people that might not hate their credit card provider they want I do.
Not sure if it works in Germany as a US citizen, but next time try walking into a bank, explaining the situation and asking for a prepaid card. (E.g. we have the Mastercard Red in Austria.) It will take some time, you'll have to show ID, but it may solve the 3 EUR annoyance.
Trust me, I'm taking notes! I've tried researching this, but "credit card company that sends TOTP over email" is not really Google-able. Revolut is on my list now, though. Thanks!
I travel with debit cards from 3 different banks for this reason.
Look for banks that issue virtual cards that can be used with Apple Pay / Google Pay. But you also need ideally two physical cards, since one bank may block your physical card for "fraud" while traveling, and now you're stuck and unable to buy a train ticket.
Credit cards are only necessary for car rentals, which is a major pain, but sometimes they can just make a reservation charge of 1000 EUR that they later cancel.
The benefit of virtual cards is that you usually get a notification (if you have internet) that your card is blocked, and details about the transaction, which makes it easier to unblock, and understand why the transaction/card was blocked.
Also need credit cards for some hotels, and a high limit if you plan to stay at several hotels in quick succession, as it takes a few days to weeks for a hold to be released.
With several of my (physical) credit cards, I get an SMS and Email when a charge is blocked, and I can log into my internet banking to assert that the charge was actually me. About 5 minutes later the card is unblocked and I can retry the charge.
I wanted to use them, but they'd only accept payment via Plaid, that ridiculous service where I have to hand my banking password to a third party -- you know, the exact thing that we all know to never ever do. That's a nope for me, sadly.
Are you sure? My USD Wise "account" has no sort code nor account number (unlike other currency accounts I hold), so nobody can initiate an ACH transfer into it. There is a button to initiate an ACH transfer "in" but it has to come from my linked bank account. Linked with the aforementioned Plaid.
Except the card won't work as they say it should as chip-n-pin in Europe (signature required every time and of course it doesn't work for transit). At least not if you're me. Spent hours going back and forth with their support to be finally told that I should try requesting a new card.
Yeah, they send verification codes via app notifications. I am so glad I got one before my international vacation this summer. Wise card worked where nothing else would.
Wells Fargo has TOTP over their App. They used to suck as an international option, but now they are my go to. They also give you a little device that generates TOTP numbers offline. Quite handy if your mobile is disconnected, you lose your number, etc...
I have been in Germany for 6 weeks. I have spent thousands of dollars between flights, train tickets, and hotels. Guess what I have to do every, single, time I buy a 3EUR train ticket? Receive an SMS on my American cellphone number.
Their "solution" is to have a family member in the US add their number to my account, wake up in the middle of the night and relay TOTP codes to me. FOR A 3EUR TRAIN TICKET. Multiple times a day. From the same damn train company.
I'm willing to pay $1000 yearly fee for a competent credit card company that sends me TOTPs over Email (just like they send me charges [but of course, not refunds/canceled-authorizations]). Or let's me use a Security Key.
The funny thing is, they happily text these codes to VOIP SMS numbers, which I can (and do) route to my email anyway.
It's abusrd that my Xbox account is both more secure and less annoying to use than my credit card. Again, for a 3EUR train ticket. I feel like we're slowly entering this dystopia Kafque-esk nightmare, and yet, as always, there's people in the comments here insisting this is fine, or that I deserve it.
I'm going to assume the people saying "use cash" have never set foot into the real world. Yes, let me put cash into the non-existent train ticket machines, or to the non-existent train attendants. In the 3 minutes I have before my train comes.