Will smartphone ownership become a de facto requirement?

[Scott5114]

Heck, mob-rule used to send your password over an HTTP GET request, meaning it was plainly visible in the URL of the page you were visiting.

But it never mattered because what's someone going to do with that password, log in and mess with my county map? Oh no.

[jeffandnicole]

But I shouldn't have to have 2FA and a 46-character password, 3 characters of which must be upper case, 2 lower case, 4 that are neither upper or lowercase (but not punctuation or numbers), 1 number, one punctuation mark that isn't an asterisk, one character that is only part of the Norwegian and/or Icelandic alphabet, and one emoji, to sign into the account where I buy cat litter. What's a hacker going to do, change my subscription from the pink kind to the blue kind? Oh nooooooo.

As flippant as you are trying to be, that hacker can change the delivery address from your address to a another address that they can pick up from, increase the quantity of both the blue and pink kitty litter, add in additional expensive items, and resell the stuff on Craigslist. And, your address and phone number can be used for false applications. To quote a line from the move The Incredibles:"Your identity is your most valuable possession. Protect it."

SMS-based 2FA is kind of irritating anyway since most of the time I'm on the computer because I don't want to be on my phone, which I usually leave in the other room if I don't need it for anything. So I have to get up and go to the other side of the house to get it to enter some dumb 6-digit number in. At least if it sends to my email I can check it without getting up.

According to this article, about 62.5% of United States households are only using mobile phones. And, yes, you can view text messages through your computer's web browser. That "dumb 6-digit number" can prevent impersonators from accessing personal identifiable information which can be utilized to create false credit cards, mortgages, and so on. That ounce of prevention is better than years of cleanup.

But here's the thing...I don't care.

The odds of someone hacking into that account and doing that, and the level of harm it would do me, are low enough that it doesn't justify the amount of added effort 2FA adds.

If someone did that, I would notice the increase in charge on my bank statement, go back and correct it, and have the bank reimburse me/chargeback the fraud. It would be pretty clear-cut that it was fraud, since it was shipped to an address that wasn't mine. The only thing I would really be out at the end of the day is a few hours worth of shoe leather dealing with the bank.

And that presupposes the place has my credit card saved. That's usual on things like Amazon or subscription services, but it's not a given anywhere else. And I generally don't save my credit card on sites where I just sporadically buy things here or there. On my own e-commerce website I don't allow people to save card information because I don't want stewardship over that data.

I own an LLC so my address and phone number are public record that the Secretary of State's website will cheerfully hand out to anyone that asks. I own a house so they can get it from the county assessor's site too. I can be as paranoid about that as I want and it won't make a damn bit of difference, it's already out there.

However, you're under the impression that a victim is always a victim. You can't just "have" the bank give you your money back. They're going to investigate it first, and may or may not "loan" you the missing funds during that investigation. Anyone can have a payment address and shipping address be different...paying for something then shipping it directly to another recipient as a gift is ultra-common.

So, put yourself in the shoes of an investigator. Everything you described is what many self-scammers do, thinking they can con the system.

[Scott5114]

However, you're under the impression that a victim is always a victim. You can't just "have" the bank give you your money back. They're going to investigate it first, and may or may not "loan" you the missing funds during that investigation. Anyone can have a payment address and shipping address be different...paying for something then shipping it directly to another recipient as a gift is ultra-common.

So, put yourself in the shoes of an investigator. Everything you described is what many self-scammers do, thinking they can con the system.

But, again...I don't care. I just don't.

Say getting my account at Rita's Online Cat Litter Emporium hacked into and recovering the funds is 100 inconvenience points. Dealing with 2FA to log into my account is, say, 10 inconvenience points. I'm avoiding 100 inconvenience points that I may someday, possibly, potentially accrue in exchange for 100 inconvenience points I will definitely, no doubt accrue after logging into the site 10 times because Rita decides she needs to have her cat litter locked down like Fort Knox. I have decided I can tolerate a level of risk commensurate with having 1FA instead of 2FA.

You could avoid a whole lot of fraud at Walmart too if they asked for two forms of ID to verify you're the valid holder of a credit card. They don't do that. Because it's a pain in the ass to carry two forms of ID, so people would complain, and it would catch a lot of things that are technically fraud that nobody cares about, like someone using their wife's debit card or someone giving someone else their card to go run to the store for them because they can't/don't want to themselves. Again, that introduces a level of risk into the transaction that both the customers and the store has decided is tolerable.

The least risky thing is to calculate to the penny exactly how much money you're going to spend, go to the bank, pull out that amount to the penny, go directly to the store, and spend it. Even then you might get robbed on the way between the bank and the store. So the safest thing to do is stay at home and never spend any money ever. Except...you can't do that.

I'm sorry your bank sucks. Any time I've had a fraud case, my bank has cancelled the transaction and refunded the money. Hell, most of the time they catch it within minutes of it happening and tell me about it before I have any idea it happened.

[kalvado]

One thing for sure - security and importance of information must match. And sometimes overly eager protections and services do more harm than good. But if something is done, it must be usable option, not "lets try and see" 
You strongly want to keep my credit card number on file? Sorry for fake charge, so sad, to bad, I specifically tried to avoid letting you keep that.
Bank sending transaction alert 3 days after transaction is cleared? Oh, is that really my bad? If you want to do it, do it well.
Making me change a password every 3 months when I need to login every 2 months? Disallowing browser storage? And gazillion letters and punctuation marks? Fine, high security one you got. I also wrote it into a passwd.txt on a desktop.

It is not only convenience over security, it is also about acute idiocy of those in charge

[vdeane]

Given how much people re-use usernames and passwords across the internet, someone who got a mob-rule user's credentials would then try those credentials on other sites - and if one of those matched, said user would have a much bigger problem than a hacker changing their county clinches.  Especially if the shared password is with one's email.  Once you control someone's email, you basically can gain control of everything else via "forgot password" requests.

Regarding password managers, they've always struck me as having the flaw that someone who gains access to the computer/account would then have access to all one's user accounts online.  Especially Chrome's, since it's stored on a Google Account.  As such I only use Chrome's saved passwords for less important things like this forum.  Really important stuff like banking is all memory.  Fortunately consumer-oriented things rarely enforce password changes.  For work, given how many accounts we have and how they periodically need to be changed, I ended up devising a scheme and then writing codes in a text file that I can use as a key to remember which account is using which password.  Although that did have the beneficial effect that when IT reactivated accounts for everyone on some service that's only used once ever couple years, rather than have to go through the "forgot password" system like everyone else did, I just looked up the code and typed in the old password and had everything work.  Of course, there's also the system that just gives you a password of random letters/numbers that cannot be memorized with no way to change it... I'm not sure what they were thinking, but that one is just pasted there in plain text for me to copy/paste, and anyone who broke into my files could do the same thing.  Clearly the people who coded that system did not think things through.

Microsoft is currently trying to push using text message codes as the exclusive way to log in to Windows.  That strikes me as a really bad idea given threats like SIM swapping.

[jeffandnicole]

I'm sorry your bank sucks. Any time I've had a fraud case, my bank has cancelled the transaction and refunded the money. Hell, most of the time they catch it within minutes of it happening and tell me about it before I have any idea it happened.

Being I've never had a fraud case with my bank account, I'd say my bank sucks less than yours.

The fact that people are getting into your account seems to say you have some security issues that need to be handled.

[Scott5114]

I'm sorry your bank sucks. Any time I've had a fraud case, my bank has cancelled the transaction and refunded the money. Hell, most of the time they catch it within minutes of it happening and tell me about it before I have any idea it happened.

Being I've never had a fraud case with my bank account, I'd say my bank sucks less than yours.

The fact that people are getting into your account seems to say you have some security issues that need to be handled.

Well, it's not anything foisting 2FA on me would fix; any time it's happened it's been a random attack not linked to any of my existing accounts. The most recent of them was a debit card that was only used online in one place, and that was with a 2FA account. Otherwise, that card had only been used at Lowe's and a non-recurring charge at the electric company, and the fradulent charge was to Waffle House. The only other one I can remember was a random charge at a gas station in California (I've never been to CA).

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

[TheHighwayMan3561]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

[zachary_amaryllis]

[some things snipped]

Microsoft is currently trying to push using text message codes as the exclusive way to log in to Windows.  That strikes me as a really bad idea given threats like SIM swapping.

i wonder how that's gonna work out for people who live in areas with no cell service?

[jeffandnicole]

I'm sorry your bank sucks. Any time I've had a fraud case, my bank has cancelled the transaction and refunded the money. Hell, most of the time they catch it within minutes of it happening and tell me about it before I have any idea it happened.

Being I've never had a fraud case with my bank account, I'd say my bank sucks less than yours.

The fact that people are getting into your account seems to say you have some security issues that need to be handled.

Well, it's not anything foisting 2FA on me would fix; any time it's happened it's been a random attack not linked to any of my existing accounts. The most recent of them was a debit card that was only used online in one place, and that was with a 2FA account. Otherwise, that card had only been used at Lowe's and a non-recurring charge at the electric company, and the fradulent charge was to Waffle House. The only other one I can remember was a random charge at a gas station in California (I've never been to CA).

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I pretty much permanently have one of my wife's cards with me.  And I think she has one of mine.  We don't give it a second thought...and neither does anyone else.

On occasion, where a restaurant had a credit card terminal at a table, I'll "sign" it with pretty much anything I feel like drawing.

[Sctvhound]

You pretty much have to have one for sports to buy a ticket unless you want to be limited to high school sports. And some high school teams don't take cash at all. That might be the biggest difference during the pandemic.

In 2019, there were many high schools that didn't even take credit cards, at least in my area. Everything was about the "cash"  gate, even with $7 admission. You had to have enough cash to get in.

[1995hoo]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

[SectorZ]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

Why couldn't you just match the signature to whatever was on their ID then? That would be the original 2FA.

(Admitting I only know that Massachusetts driver's licenses have a signature - for all I know that's a rarity of some sort)

[Scott5114]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

Oh, we had the exact same rule at the casino for people trying to get cash off their card. No, I'm not going to let you get $1,000 in cash off of a card you claim is your wife's (how do I know it's not your sister's or your mom's, or worse, some random other person with the same last name?). No, I'm not going to let you get $1,000 out and then sign "SWAGG" instead of your name. And we wouldn't even accept "See ID" on the back in lieu of a signature, there had to be a signature on the back of the card and on the signature pad and they had to match the signature on the ID. I don't have $1,000 to pay back to the casino if this comes back fraudulent, so we're going to play by the rules here. We pretty much told them they can either follow the rules or they'll have to find some other way to get money to gamble with.

Why couldn't you just match the signature to whatever was on their ID then? That would be the original 2FA.

Signature on the back of the card signifies that the bearer has agreed to the cardholder agreement and is the authorized user of the card. If it's unsigned or says "SEE ID" I can sign the back of your card and then I'm technically the cardholder. It is pretty dumb, but, according to the documentation we got from Visa, that's how it works.

[kkt]

I've never understood the point of having a credit card if you have a positive amount of money. Why not just take it out of what you have and avoid paying interest?

It's mainly for:
1) convenience
2) building your credit score, as has been discussed in this thread

Also, most (all?) cards don't accrue interest as long as you pay in full every month.

Yes, and also

3)  the dispute resolution system for credit card charge disputes is reasonably quick and inexpensive to use, unlike the courts

[1995hoo]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

Why couldn't you just match the signature to whatever was on their ID then? That would be the original 2FA.

(Admitting I only know that Massachusetts driver's licenses have a signature - for all I know that's a rarity of some sort)

Because I would have lost my job. I didn't make the rules.

[SectorZ]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

Why couldn't you just match the signature to whatever was on their ID then? That would be the original 2FA.

(Admitting I only know that Massachusetts driver's licenses have a signature - for all I know that's a rarity of some sort)

Because I would have lost my job. I didn't make the rules.

Notwithstanding what Scott5114 said above, does anybody literally ask questions at their job anymore? I questioned a lot of stupid stuff, and usually you're better off if a solution to a dumb problem either 1) saves money/time or 2) makes customers happy.

[1995hoo]

The US debit card system is pretty hilariously broken security-wise. Borrow your spouse's card sometime, go around town using it for your usual business, and see how many times you get stopped. Any time you encounter a PIN prompt you can just hit X on the pad and it will bypass the PIN. Nobody checks to see if the name on the card is the name of the person standing there or whether their signature, if they even ask for one, matches against anything.

I know some people write "See ID" on their cards, but back when I worked in fast food I didn't have time for that because I need to get your ass in and out of my drive thru and I don't really care anyway.

I got one reminder from management (suggesting someone complained to management that I didn't check their ID), but otherwise I never heard about it again.

I worked at a computer store (Micro Center) one summer when I was in college and they required us to check signatures on cards (one guy was fired for not doing so), and they wouldn't let us accept "See ID." Period. A few customers got belligerent about it; I invariably said, "Hey, I'm just following instructions and I'm not going to risk my job because of how you want to sign your card. I'll be happy to call a manager." Nowadays it'd probably wind up on the news due to a violent, raging customer.

(Before one of the usual suspects says it was a stupid rule, hey, I wasn't a store manager. I just wanted to earn a paycheck.)

Why couldn't you just match the signature to whatever was on their ID then? That would be the original 2FA.

(Admitting I only know that Massachusetts driver's licenses have a signature - for all I know that's a rarity of some sort)

Because I would have lost my job. I didn't make the rules.

Notwithstanding what Scott5114 said above, does anybody literally ask questions at their job anymore? I questioned a lot of stupid stuff, and usually you're better off if a solution to a dumb problem either 1) saves money/time or 2) makes customers happy.

It was 1993 and I was 20 years old, I needed the money, and it was a retail job (meaning no job security). So no, I didn't ask questions, and I  couldn't have cared less whether someone else thought I "should have" questioned it (and I roll my eyes at anyone who thinks 30 years later that he knows better than I did then how I should have proceeded at the time). You know as well as I do that you can often tell when it would be pointless to ask a question or to try to resist a policy.

[Scott5114]

Hell, I probably would have been happier at my last job if I didn't question anything. Questioning it tended to lead to the discovery that I had already thought more about it than the people responsible for making the decision. Unfortunately, not questioning things isn't the sort of person I am...

[abefroman329]

Hell, I probably would have been happier at my last job if I didn't question anything. Questioning it tended to lead to the discovery that I had already thought more about it than the people responsible for making the decision. Unfortunately, not questioning things isn't the sort of person I am...

Yeah, the thing about questioning things at work is that it's either rewarded or...it isn't.

[ZLoth]

Notwithstanding what Scott5114 said above, does anybody literally ask questions at their job anymore? I questioned a lot of stupid stuff, and usually you're better off if a solution to a dumb problem either 1) saves money/time or 2) makes customers happy.

There's your problem. Business like to emphasize the "keeping customer happy", "reduce costs", and "increase speed" with the goal of "increased profits and shareholder value" at the cost of "good data handling security". In 2013, at the time of the Home Depot data breach, the United States was one of the last "swipe and sign" (magnetic stripe and a signature) nations. Europe, in the meantime, was a "chip and pin" where you had to enter in a pin number when processing a transaction. When I was in Victoria, BC in 2013 eating at a restaurant, they brought a credit card processing machine to me to process the charge, meaning that my card never left my possession. Meanwhile, it's 2021, and while some restaurants have some form of at-table processing (including mobile phone payment), many still take away your card, process it at a single terminal, and bring back the receipt. That means the card has left my possession, and there has been times where the card number was copied by the server before being brought back to the table.

And why did we get to this point? Because of the major credit card processor fearing that any barriers to using their cards means that the consumer will easily switch cards, and they would rather take the hit in fraudulent charges than lose the customer. Because the business want to use a single processing machine because setting up multiple processing machines and the secure WiFi network for at-table processing is "too complicated" and "too expensive".

Oh, but wait! There have been some restaurants which, in order to reduce the threat of theft, wanted to go cashless, meaning that you only pay with a credit or debit card. Not in New York City, Philadelphia, San Francisco, or the state of New Jersey, which has effectively banned cashless transactions because "12% of New Yorkers do not have bank accounts" and business should also serve the "unbanked"  or "underbanked" .

[kalvado]

Notwithstanding what Scott5114 said above, does anybody literally ask questions at their job anymore? I questioned a lot of stupid stuff, and usually you're better off if a solution to a dumb problem either 1) saves money/time or 2) makes customers happy.

There's your problem. Business like to emphasize the "keeping customer happy", "reduce costs", and "increase speed" with the goal of "increased profits and shareholder value" at the cost of "good data handling security". In 2013, at the time of the Home Depot data breach, the United States was one of the last "swipe and sign" (magnetic stripe and a signature) nations. Europe, in the meantime, was a "chip and pin" where you had to enter in a pin number when processing a transaction. When I was in Victoria, BC in 2013 eating at a restaurant, they brought a credit card processing machine to me to process the charge, meaning that my card never left my possession. Meanwhile, it's 2021, and while some restaurants have some form of at-table processing (including mobile phone payment), many still take away your card, process it at a single terminal, and bring back the receipt. That means the card has left my possession, and there has been times where the card number was copied by the server before being brought back to the table.

And why did we get to this point? Because of the major credit card processor fearing that any barriers to using their cards means that the consumer will easily switch cards, and they would rather take the hit in fraudulent charges than lose the customer. Because the business want to use a single processing machine because setting up multiple processing machines and the secure WiFi network for at-table processing is "too complicated" and "too expensive".

Oh, but wait! There have been some restaurants which, in order to reduce the threat of theft, wanted to go cashless, meaning that you only pay with a credit or debit card. Not in New York City, Philadelphia, San Francisco, or the state of New Jersey, which has effectively banned cashless transactions because "12% of New Yorkers do not have bank accounts" and business should also serve the "unbanked"  or "underbanked" .

Unbanked and underbanked is a completely different story.  Cash vs card is irrelevant, as cash is still the legal tender for all debts, public charges, taxes and dues. Going all card is a can of worms in many aspects/
Making cards more secure, however, is a completely different story. Once magnetic strip copying took off, that technology lost a lot of security. Chip is pretty reasonable alternative. There may be a lot of further enhancements, likepins and  single-use transaction codes - question is where to stop, though.
It doesn't change underlying legal aspects of multiparty transaction processing. Which require signatures as a prof of getting legal agreement.

[abefroman329]

Meanwhile, it's 2021, and while some restaurants have some form of at-table processing (including mobile phone payment), many still take away your card, process it at a single terminal, and bring back the receipt. That means the card has left my possession, and there has been times where the card number was copied by the server before being brought back to the table.

Even more surprising is the fact that gas stations, by and large, don't accept chip or contactless payment methods at the pumps.  It is difficult, if not impossible, to clone a chip card.  The information on a mag stripe is static, where the info on the chip is dynamic.

[bing101]

Smartphone ownership is a defacto requirement at this point given the places I been to require a phone number for deals reasons. Note I give a proxy Google Voice number in these cases.

[ZLoth]

Unbanked and underbanked is a completely different story.  Cash vs card is irrelevant, as cash is still the legal tender for all debts, public charges, taxes and dues.

From the Federal Reserve Bank:

Is it legal for a business in the United States to refuse cash as a form of payment?

There is no federal statute mandating that a private business, a person, or an organization must accept currency or coins as payment for goods or services. Private businesses are free to develop their own policies on whether to accept cash unless there is a state law that says otherwise.