Daniel Blum wrote a incredibly good article today on Network World. He said something very sharp on the matter of additional security measures that the banks need to deploy:

"From a business perspective, banks are much less concerned about losses to fraud than they are about scaring away customers. To them, online banking represents a Mecca of huge cost savings and revenue opportunities. The technical solutions that win out for them will be those that offer unobtrusive but effective protection."

The savings from Internet Banking usage growth are huge. Should the banks risk this savings by sending tokens, password cards to their customers? What if they agree on paying the losses for their clients instead of using additional security controls? Isn't it a valid way of dealing with that risk? Isn't it the way that credit card companies are taking?

Sometimes security people focus too much on vulnerability/control and forget about risk management.