Reply to post:

Capital One have an odd view of security, so much so I recently stubbornly cancelled my long-standing credit card with them after they stubbornly refused to admit they'd dropped the ball. They'd brought their outsourced customer portal in-house therefore it had been rewritten and required everyone to set up their account again. But they forced two-factor authentication via SMS to activate it, where the one-time code expires after 10 minutes. I live in an area where there is no mobile reception, so there was actually no way I could activate the new portal, while sat at home. I couldn't drive up the road to where there is a signal in order to receive the code because by the time I got back it would have expired. I tried to contact them, which was difficult as there were no contact details or help info on the registration page and you have to go through hoops to contact them, but their only reply was to use someone else's computer to register, where there will be mobile reception. Using an unknown network/computer is aginst their own secutiy advice, and SMS TFA is now starting to be considered insecure anyway. For a bank that is supposed to take security seriously, they don't instil any trust that they actually know what they're doing.