Most such mechanisms force you to click a link in an email, no? A cracker now needs your email as well — are you telling me the bank doesn’t even adopt this simple safeguard?
My bank required me to telephone in (using a separate verbal password) when online password was reset , though I think they now have an online automation to do it. :dubious: