Stephen,

I agree that there is often too little attention to security even in situations where one would think the public should be most sensitive. That said (and at the risk of being accused of plugging my old employer) I find the Bank of America on-line banking site to be noticeably superior in this area. They were well ahead of the curve in requiring that every customer establish an individual site key. This is information stored on the bank’s website that is returned when you attempt to log in and verifies that you are accessing the legitimate site location. A phishing scam trying to get people to divulge their login details by directing them to a bogus look-alike website would not be able to provide the correct site key. Only more recently have other sites started to emulate this extra protection layer. Another example of extra care is the NatWest on-line banking site in the UK. They NEVER ask for your full PIN or password. Rather they request a different random selection of the characters in a random order each time you log in. That way, even someone who successfully planted a keyboard scanner would have to capture multiple sessions and do significant analysis to isolate a user’s full details.

For someone like me who is sensitive to these issues, extra attention to security measures certainly cements my loyalty. More generally, I think it may take a major and well publicized security failure at some institution, with significant inconvenience or outright losses for customers, to raise the public’s responsiveness to such measures. When that day comes, however, the institutions that can point to their extra attention to security will reap their reward.

(For a more detailed discussion of alternate security measures see:
http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200605%20protect%20and%20survive.pdf