Yes, I think if and when using an expensive tool such as a credit card becomes an invasive hassle, requiring a phone connection when traveling, at that point the better approach is cash. I don’t work for a bank, they work for me when its to my advantage.
When traveling, I always carry a cash reserve. I’ve never had any security problems whatsoever carrying and using cash, but have had quite a number using credit cards, all paid for by the issuing bank which charges a commission on the transaction to cover its added costs. Obviously the potential is there, but that’s my real world record.
SMS clearly can be weak but it depends on the situation. For example if somebody is using the I-message Apple feature, then your SMS messages will be copied elsewhere, which can in turn be vulnerable. I know of a guy whose affair was discovered that way; the messages were being copied to the “family Mac” 
If you have a serious enemy then anything is possible, including GSM spoofing. But short of that, it is quite difficult here in the UK. For example, to set up a new payee (without which it is pretty hard to be robbed ) you can select the option of a landline phone call to your house. And then you get an SMS confirming it has been set up. So the attacker would need to spoof both the landline and block the GSM message. And with FTTP (fibre to the premises) it will be a bit harder to do it physically… But that means you cannot set up a new payee while travelling. If you want to be able to do that, then attacks are easier because the attacker only needs your account details and your phone.
But so many people are basically disconnected from what one might call caring for the real world, they are vulnerable. And most old people are in that category. My mum, with dementia, was being “legally robbed” all over the place.
There is now some “EU law” here that business accounts must use a key generator (keypad). That may be because it is trivially easy to discover the bank details of a business. Many, especially German ones, have them on their letterhead, and you can easily pretend to be a customer and get it that way.
Another data point I got today suggests there has been a wholesale move here to SMS for every online transaction with a CC. Well, this is now across several banks. Great if you live in the countryside…
During a phishing call from "BT technician’ regarding my broadband, to convince me he said he was sending me a one-time password – although there had been no talk about me signing in to anything.
I live in a no-mobile-signal area. Two #### texts appeared later.
Well, Maoraigh, you are smart
But why would somebody want to send you a password?
It is trivial to send somebody an SMS, appearing to come from any called ID. My old Nokia 6310i phone could do that, when using with some free PC apps, and a cable.
But the spoofer still needs to know your number. Maybe it is online somewhere? Google on your number, with and without the +44, and see what comes up. You find the most interesting things 
For one thing, all this stuff is in the Autorouter briefing pack PDFs so if any of those ever gets posted online…
Another data point I got today suggests there has been a wholesale move here to SMS for every online transaction with a CC.
In Croatia practically all online card transactions have to be confirmed with dynamic passwords generated with mobile application or physical token. Card fraud is mainly done on sites that are not enrolled in 3D Secure.
Access to online banking is possible only using strong authentication based either on dynamic passwords (generated with token or mobile application) or on connected cards/tokens with certificate generating digital signature (PKI).
As a fraudster I would think much less complex than many of the “ideas” in this thread.
Even today there are still ATMs (in Europe – even more so in Asia) which do not have an online connection and therefore can not do any form of online verification. There are also merchants (both online but even more offline) where I can buy goods w/o online validation. So why even bother with 2FA
I don’t care if the money I take comes from the merchant, the credit card company or the account owner. All I care for is that after the “transaction” it is my money.
But why worry at all about those mechanisms. You can buy credentials for PayPal account with 1k balance for about 50EUR. Or full credentials for 10k US bank accounts for about 150USD. The challenge these days is not getting the credentials (or braking the security mechanisms). There are “professional service providers” out there who do that very efficiently.
The true challenge is to get the money you stole to some place where you can use them in a way that it can not tracked back to you. Even with Crypto it is getting increasingly difficult to obfuscate the money trail.
Mooney_Driver wrote:
That is weird totally. I got my cards for over 30 years and one has ever been blocked abroad.
It’s never ever happened to me either for some 40 years. Different banks, Europe, North America, Middle East, East Asia, Africa… A card sometimes don’t work in an ATM, although it should, which is super annoying – but never blocked.
Malibuflyer wrote:
Differentiation between Credit and Debit Cards is mainly a US thing (and to some extend UK).
Most European countries do not have this differentiation – and even in the US this differentiation gets blurred with daily booking credit cards which are basically like Debit.
Sweden has this differentiation. When you buy something with credit, the lender is jointly responsible with the seller for the goods. This also applies to credit cards, even if the credit only extends to the payment of the next credit card bill. I thought this law was due to an EU directive, but maybe not?
Certainly the same thing in the UK is not derived from any EU mandate. It’s the Consumer Credit Act of a year which I forget, quite a while ago, and if not actually predating the existence of the EU then certainly pre-dating the EU involving itself in things like this.
Edit: 1974, so well before the EU.
Malibuflyer wrote:
Differentiation between Credit and Debit Cards is mainly a US thing (and to some extend UK).
Most European countries do not have this differentiation
Belgium, Luxembourg and the Netherlands do.
