I just listened to Episode 103 of the Security Now podcast, where Leo Laporte and Steve Gibson talk to the head of security at PayPal. PayPal is doing the right thing right now, issuing their customers with RSA security keys. Which gives them two-factor authentication (password and security key passnumber).
But for some reason, they do not enforce the use of security keys on their customers. Even when you have obtained a security key (which is optional, weirdly enough) and said you are using it, you can still login without it doing some additional security questions. For the reason of convenience! Which basically reduces the security added to nothing, since you can still login in a traditional fashion.
I am all for listening to the needs of customers, but sometimes you have to assume that you know better than your customer. And security for financial institutions is one area where the financial institution does know better than their customers. The very idea of letting someone get around two-factor authentication for convenience is just amazing to me. Even more amazing is the Bank-of-America login that apparently (from Leos comments in the podcast) do not even use any kind of hardware token for login. This is akin to having safety deposit boxes put in the waiting area in a bank and asking customers to just put their own padlock on them.
Every Internet-based bank where I have been a customer have done SOMETHING more than just a password. There have been little crypto dongles where you enter a challenge number and get a response, a card with one-time passwords, or a smart card reader that gets a one-time number from the chip on the smart card itself. Or a one-time password sent over SMS to register a certificate on a computer. Not all perfect solutions, but in all cases security has at least been considered and not just customer convenience.
For banks, you do not want access to be too simple. You want your money to be safe. And it is OK to make access a bit more complex than just user name and password.
I hope the argument is not cost-based. The cost of giving out hardware tokens should be minor compared to the cost of lost customer money. It is just part of what it means to be in business as a bank, you do have to pay for offices (or at least server rooms for an internet-only bank) and customer service.
I guess this is one more thing that falls in the category of “the US is a strange land”. Because I hear an undercurrent of “convenience is more important than anything” and a fear of losing customers if login is too complex. Which in this case has to be considered the wrong priority.