Comment Re:Why? (Score 1) 161
As the parent was saying, the token is also used to confirm the transactions after they've been entered - the bank, naturally, doesn't trust the session until it times out or is logged off.
This same process is also used by my bank on the other side of the world - this closes many potential vulnerabilities - this one with the expiring session; phishing (since even if you get the user to login to a fake site, you can't transfer the funds), cross-site scripting usages to submit data to bank sites, etc. Heck, it was probably designed to combat no-tech attacks such as using the computer and browser session of someone who left for lunch and forgot to log out of the system.