They need to educate their own staff before they worry about the customers' computers!
(These experiences from UK banks, but I'm sure they apply here too.) I've regularly had my bank phone me up and say they're from the bank, then ask me all the security questions. I refuse to give it to someone I can't verify. I've only had one instance where the bank staff member knew how to solve this problem, which was for me to phone them back using the number printed on the card and ask for a specific person. Of course, they should be educating their customers by calling and asking them to phone back in this manner EVERY TIME. Then while travelling around Europe I needed to change some of my settings. The person on the phone suggested I use the Internet banking. When I pointed out that the only Internet access I had was Internet cafes where all the computers are loaded to the hilt with crapware, they still encouraged me to use the Internet banking site. A really simple two-factor authentication is for them to sms a single-use token to your mobile phone. This solves the "something you have + something you know" problem. Yes, if someone robs you AND somehow gets your password, you're stuffed. But that's less likely than being keylogged by crapware, which is really the problem they're trying to solve. -- Rev Simon Rumble <[EMAIL PROTECTED]> www.rumble.net "Women who seek to be equal with men lack ambition." - Timothy Leary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html