@Edent this is wrong and bank must be responsible for any losses. they clearly failed to identify customer The app can say: if it’s you, call us again number+3 digits from app+3 digits from the call. Bank Identity is established by a well-known number, the additional digits demonstrate that the same person is using the app and talking on the phone. May still be problematic if the attacker managed to login to the app. Better idea: just verify ID through a video call in the app.