Expecting people who know nothing about security to make an informed decision is unreasonable. It's much like expecting people to choose a building that won't fall over in an earthquake when they aren't architects - the responsibility lies with the architect for claiming that the security is good enough, not with the customer for trusting the expert.
You're suggesting that if I place a lock on your door, and you and I both agree that it is adequate, that it is my fault that you lose your keys and have your TV stolen because I should have known that a lock is not good enough and you should have had an alarm system as well....
Seriously, have some bit of personal responsibility.
The degree of "personal responsibility" you're alluding to here is unreasonable to apply to a regional commercial construction firm. It is simply not feasible for most businesses to keep a password-only protected online bank login secure using general-purpose operating systems, and particular not with Windows.
You're commenting because you know that:
* The firm could have dedicated a machine to do nothing but provide access to the bank account, perhaps from a single-use VM
* The firm could have structured its bank accounts so that only a minimal amount of its cash flow would be exposed to any single compromise
* The firm could have aggressively monitored transfers in and out on a better than daily basis
I'm telling you that (a) getting these things set up is a 5-figure consulting project that no bank tells its client base it needs to do, (b) that it is vanishingly unlikely that the bank made sure the client was informed that it needed to take these steps, (c) that failing to do that and leaving accounts exposed only to simple passwords is probably an example of a failure of due care, and (d) that the simplest and most reasonable way to solve all of these issues would be for the bank to simply strengthen its authentication mechanisms for commercial accounts.
You are placing a ridiculous expectation on the service provider while excusing the client using any form of security at all!
Sorry, but in 2011 it is not beyond reasonable expectation that a password be kept secret. Getting hacked sucks, certainly. Your company being hacked however is not the liability of your service providers, even if they are banks.
Speak to the people deploying multifactor and reputational authentication at major banks, and to a one, they will tell you that it is not considered a reasonable expectation that Windows systems be kept intact in order to secure bank accounts.
Banks can't come out and simply say that because of market realities (there are lots of market realities involving software security that terribly impact your day to day life) and concomitant liability.
The banks we talk to are certainly aware that a significant percentage of the customer-provided client machines are pwned by malware (and not just dumb keyloggers either). The Zeus trojan in particular is currently one of the most-discussed topics in online banking security.
tptacek is referring to that I work for PhoneFactor and we sell a multi-factor auth product to secure against these types of things. You're probably right, and thanks for the input.
It's hard to know when to worry about not disclosing affiliations and when to worry about sounding like a product name-pusher. I felt like I was on such basic facts in this comment that it wasn't so relevant, but I did mention it in a later comment in this thread.
