Security teams don't block certain VPN traffic for fun.When a certain IP block has been running credential stuffing attacks all month long, It's very reasonable to see any request from said block with a lot of suspicion. In many cases, 99.9% of login attempts from certain IP blocks are just fraudulent, and there might be more requests from one of said blocks than legitimate requests from the rest of the world combined.
Completely blocking a VPN is often too blunt an instrument, but even the best alternatives are unfriendly to legitimate traffic. The most user-friendly thing you can do is to rely on bonus security controls, like asking for two factor authentication for everything. No, you will not be able to log into anything from a new device, even, without the two factor. A very understandable tradeoff for a bank, but we'll end up seeing that for any account protecting anything of relatively low value.
If your second factor is tied to, say, a phone, it's not going to be fun to wait to replace it if it's lost. But in a world where most traffic is coming from a VPN, there aren't many good alternatives.
Completely blocking a VPN is often too blunt an instrument, but even the best alternatives are unfriendly to legitimate traffic. The most user-friendly thing you can do is to rely on bonus security controls, like asking for two factor authentication for everything. No, you will not be able to log into anything from a new device, even, without the two factor. A very understandable tradeoff for a bank, but we'll end up seeing that for any account protecting anything of relatively low value.
If your second factor is tied to, say, a phone, it's not going to be fun to wait to replace it if it's lost. But in a world where most traffic is coming from a VPN, there aren't many good alternatives.