@Luxano and @adamshostack : this attack also more or less resembles what Terence Eden (@Edent IIRC) described in https://shkspr.mobi/blog/2024/05/bank-scammers-using-genuine-push-notifications-to-trick-their-victims/ : a Man-in-the-Middle attack targeting Chase customers.
And it's interesting to read @briankrebs 's writeup in https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/ - thanks for sharing!
@ErikvanStraten @Luxano @Edent @briankrebs Is this fair advice:
Analysis of swim lane diagrams are a good way to find these switch-overs. For each message, ask “What happens if there’s an extra party here?”
@adamshostack : that may depend on your audience, not everyone will be familiar with swimlanes.
In 2024 I tried to explain "The Chase Case" to Dutch people interested in infosec in https://security.nl/posting/842742 (I can't upload images there and that site is rather unfriendly for mobile browsers, so I try to restrict the width - which is often hard in case of "ASCII art swimlanes").
Note that the Dutch word "stap" means "step" and "Jan" is a very common first name for Dutch men.
English explanation in the Alt text.
Edited to add: the problem at hand is missing channel binding.
Adam Shostack 
Luxano
Erik van Straten