It’s been [well known](https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html) for [years](https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/) that [SMS](https://www.techrepublic.com/google-amp/article/top-5-reasons-not-to-use-sms-for-multi-factor-authentication/) is [terribly insecure](https://www.cnet.com/google-amp/news/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/) as a [2FA method](https://www.zdnet.com/google-amp/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/). There have been [high-profile](https://www.coindesk.com/mobile-employee-sim-swap-crypto-hacks) documented cases of [text codes](https://www.theregister.com/AMP/2020/02/26/crypto_theft_att_judge/) being intercepted via [SIM swap](https://krebsonsecurity.com/tag/michael-terpin/) to gain access to an account.
Yet banks still use it universally.
I’d venture a guess that the only way to get banks to switch to something like OTP is to light a fire under them. Is there a legal case to be made that it’s willful negligence at this point?
(To clarify: I’m talking about U.S. banks here.)