alt Hacker NewsUnlike US, in some regions such as JP,TW,HK, almost every online card transaction requires 3D Secure. But many real-world cases show that banks then refuse to take responsibility for fraudulent transactions once 3DS was completed, even when the OTP leak was caused by failures in the banking and telecom systems rather than by the cardholder.
The EU has banned plain SMS tokens for SCA. You need an OTP + PIN or password, or more likely authorize the transaction from a mobile app with biometrics.