Worth adding is that the answers to someone's "security" questions often are easily obtained with just a small bit of social engineering.
Yep. Even easier if the information ("correct" answers) are available via Google.
But also, since you're already using unique passwords ... and the crackers managed to get your password ... how did they do that and would that have also yielded your "security" answers.
Their thinking seems to be:
1. So, one username / password isn't enough.
2. A second password should be enough, but it will use the same username as in #1.
3. And that second password should be SUGGESTED to be based upon something that can be researched / socially engineered / tricked out of the person.
4. And entered using the same channel as #1.
Okay, if you cannot get two factor authentication then at least use a different email address for each bank AND ONLY FOR THAT BANK. Email addresses are free. And always use completely unique passwords. Not bankname1 and bankname2.
The same for the "security" questions. Always completely unique.
If you have to write them down, do so. Just keep the paper in a secure location. It's far less likely that someone will break into your house to look for passwords than it is that someone will crack your computer.