From Facebook account takeover to an empty bank account

Are you sure about it? I use 2FA with authy and never got sms.

Facebook has a code generator in their app. 2fa does not require SMS

I've done development on these types of systems. I can't go into too much detail for obvious reasons, but your answer is yes. When the details of a transaction seem to be unusual or have an association with high risk or fraud, you'll get an email, sometimes a call, sometimes they'll immediately freeze your account.

It's a security measure to protect both the bank and the customer.

I gather some banks have fraud detection systems that will flag suspicious transactions, triggering a phone call to the customer.

While I haven't experienced that personally, a friend reported getting such a call from his bank after he ordered $400 of fireworks online.

Unfortunately it's all pretty opaque and bank dependent - as far as I know, there's no way a merchant can trigger such a call, for example.

I've gotten a text from my bank after my first Bitcoin purchase on a newly issued debit card, with it saying that the transaction was flagged as suspicious and I needed to verify that I was actually the one who purchased it.

Not in those words obviously, but yes I have had numerous calls from credit card issuers during or after a large transaction. ATM cards or bank credit cards are usually tied to a bigger card issuer. These issuers have a lot of fraud prevention systems in place.

Not a phone call, but a couple of years ago I woke up to a text and a push notification from my bank (correctly) informing me that someone had used my account to pay for a hotel room and some other stuff and that they froze my account. I'm not sure if the person making fraudulent charges ever got caught, but they refunded me the money and issued me a new card, so it ended up only costing me the hour or so I had to spend at the bank that morning sorting everything out.

My bank only yesterday froze my card because it is being used in a different country and they suspect fraud.

One time I flew to Texas and bought a camera. It wouldn't go through, I got a text alert from my bank, and I had to make the poor saleslady wait while I called the bank and walked their phone rep saying that yes, this is me, the owner of thr account and I want this camera.

I had it when I paid by supplier in China 8 k. Visa called my bank, my bank called me

My bank (well a credit union) called and asked if I really wanted to buy 4 tires. Since I was having a bit of an issue paying it without the money in my checking account, I said yes. It surprised the heck out of me too.

Trustworthiness of the organization behind a site is only half the story behind TLS, if that. The most important benefit IMO of secure connections is that some unknown-unknown party can't MitM your connection and read your data or inject malicious code. Trust in the intended participants in the conversation is really a different problem.

The problem with your scenario where https===trustworthy is that it doesn't leave any middle ground for a site to simply protect its and your information. It's either full bank-site security, or none at all. That's not acceptable.

> A green padlock in the address bar should mean that the site is trustworthy. Now it only means that site admin knows how to setup https.

The green padlock means that you have a secure connection to the site you have selected to visit. We should not attempt to ascribe any other meaning to it.

You are deeply mistaken on the purpose of certificates. They say that the holder of the corresponding private key is who they are say they are. DV checks the DNS name, EV checks the DNS name and the presence of a business registration with the relevant authority.

The purpose of certificates has never been a "not a scam" stamp, and no traditional certificate vendor was ever checking your business practices or legitimacy. Issuance of DV certs is just as automated at Verisign, etc.

Sure, in theory, but how do you solve a problem like this in practice? What is it about a given URL that makes it suspicious?

Is there a whitelist? Because then the press and the rest of the internet will cry censorship and stifling of innovation.

Is there an algorithm? Then the scammers simply learn how to game the algorithm and defeat it easily. (This applies to some easy checks like domain registration date too.)

Is it a team of humans? That's a lot of sites and a lot of humans to employ. What about user-reports? Now you have to deal with false reporting and abuse.

While it's possible for some combination of approaches to succeed here, it's not nearly trivial.

The padlock (even an EV padlock) doesn't (and cannot) claim that the website is honest. It claims the website is who it says it is and that no one can intercept the communications between you two.

It sounds like you fundamentally misunderstood what HTTPS certificates are for, because they absolutely do not reflect trustworthiness or "not a scam".

This problem was solved in 1999 with client-side certificates. Your browser would simply refuse to log you into the fake bank site.