They are being pretty clever to make up for terribly endpoint security.
Yeah, all that might work for non brick and mortar stuff you maybe care about, say email [1], and your fave pornsite. But really... you need to be able to demand a hardware OTP token from your bank and brokerage... plenty of cheap open hw exists for that, not RSA, ahem. Any B&M's that don't offer hw are just using 'clever' obfuscation or cost reduction around the issue of real security. But since they already cost reduced that nice 4-7% interest they used to pay you, don't expect this anytime soon. Unless they figure with real security they could then twist responsibility for that account wiping transaction to uganda... on you. [1] Outlook.com uses that stupid 'no cut/paste' thing, worthless and annoying as fuck for those of us who use real password safes with real random unmemorizable passwords.