@ Rob Mayfield
I work in the Australian banking sector in one of the largest banks.
We *do* understand the authC/authZ issues, process, and audit requirements. Have done for years and years.
On systems where we have been successful at enforcing our policy and mitigating risk, we are world leaders in adopting successful technologies and strategies which prevent fraud. You just don't hear about it because we generally don't speak about our successes.
Unfortunately, the "Business" hates anything which gets in the way of them making money, which they interpret as "annoying" customers with bothersome details like properly identifying themselves. Whereas if we are successful, we prevent them losing money. "We've always done it that way" and seeking exemptions from policy are endemic in every firm I've ever worked at, and I can't see it stopping any time soon. I use articles like this to justify my being a complete hardarse to projects - I wish there were more articles like this.
But back to my main point, the Australian banking and finance industry is at least 2-5 years ahead of the US banking system, and every bit as good if not better compared to the leading Europeans.
Recently, I managed to get myself an E3 visa so I could go work in the US. I looked into migrating my finances to a suitable bank there, and I was surprised at how backward the US banking system is compared to what I have now, particularly from Internet Banking and electronic payments. I'm sure the US will catch up, but not any time soon.
Examples of live systems working today:
SMS based transaction signing for retail customers:
SMS trx signing is cheap and extraordinarily effective. I wish I could tell you how effective it is, but I can't.
To a lesser extent, using tokens for logging on and approvals, Bendigo Bank is making themselves a harder target:
The others in our market are all considering similar schemes and it's only a matter of time before traditionally "trusted" (=untrustworthy) dealing and brokerage services are brought into line as their fraud and losses become more visible as high volume transactional systems essentially become fraud free (or at least extremely hard to target without direct and risky social engineering attacks).