One would think that taking possession of someone's money, as banks and financial organizations do, would institute in those entities a serious sense of obligation in protecting that money as well as people's private information. Apparently that's just idealistic thinking.
Over at the SecureWebBank.com Web site you will find a long list of banks and financial organizations along with their individual security policies as those policies relate to the login process of their customers. The list shows which banks require the use of SSL for logins and which ones also require two-factor authentication.
Huge financial organizations such as American Express, Bank of America, US Bank, and Washington Mutual (just to name a few) don't require SSL -- it's optional -- and not one of the U.S.-based companies listed require two-factor authentication.
Interestingly enough, every financial organization listed outside of the U.S. does require the use of SSL. What's up with that? Do U.S. financial institutions think U.S. citizens are gullible or naive or stupid? Or is it the financial institutions themselves who suffer some sort of knowledge deficit?
I can live with the fact that most of these U.S. companies don't require two-factor authentication, but to not at least require the use of SSL is downright idiotic and I find it a bit hard to believe that such companies are not aware of the risks associated with transmitting financial and personal information over the Internet in plain unencrypted text.
One might argue that it's the customer's responsibility to use SSL if they so choose, but I would beg to differ. It's not the customer's responsibility to lock the bank vault and front door of the bank, and likewise it's not their responsibility to ensure a secure communication channel when they visit the bank's Web site. The bank should do it for us because it's part and parcel of their most basic responsibility to secure our funds and our private information.