I am frankly amazed that there aren't more major security breaches in our banking infrastructure.
Yeahh, those of us in IT in the banking industry love consultants like you. Seriously, who has the better track record in preventing loss through computer theft and fraud? Those of us who have to protect your money for a living, or consultants who get to waltz in, pronounce their wisdom from on high, and leave?
Look, I'll grant you that security, both information and physical, is hard. Security between parties is even harder. Changing customer behavior, especially retail customers, takes forever. Figuring out how to pay for changes to meet an ever changing threat model is extremely difficult. Yet, as an industry we seem to be doing a pretty good job of it. When was the last time you heard about someone getting away with millions? (No, I'm not talking about investment bankers, I'm talking about consumer and commerical bankers. The ones handling your money, not those sociopaths ripping the rest of us off.)
Did it ever occur to you that the reason why banks do things the way that they do is because the level of loss through theft is essentially zero? We take our responsibility to protect our clients' assets very seriously, if for no other reason than a high profile report of loss through negligence on our part is guaranteed to cost us millions (if not billions!) in lost revenue and fines.
U.S. banks have auditors from a dozen different Federal agencies PLUS the Payment Card Industry consortium crawling through our IT infrastructrure literally on an almost daily basis. If we don't measure up, it can cost us tens of millions in fines and/or lost business through loss of access to Visa and MasterCard's networks. I'm sure banks in other countries face similar scrutiny.
Any bank of significant size has multiple layers of checks layered throughout their business logic. Just cracking the front door by any number of means doesn't give you instant access to account information, nor does it give you authorization to open up a wire transfer. Not to mention the fact that everyone, not just the customer facing staff, goes through annual refresher training on how to spot fraud of all types. Don't forget, banks have to absorb the losses, not the customer. (Yes, yes. I know we have insurance. What do you think would happen to our insurance rates if we continually screwed up? Not to mention the risk of having the country holding our charter just shutting us down!)
Personal examples: In the past several years, I have had a change in my purchasing behavior on my credit card trigger a contact from the issuing bank within a few days on at least three separate occasions. On two occasions, I have had an issuing bank spot a problematic transaction (used in another country on another continent), shut down the card, notify me, and re-issue a fresh card within two days. On every single occasion, the issuing bank absorbed all the costs associated with those actions. Those five(-ish) examples cover three different credit card networks and four different issuing banks.
Dealing with security issues is what we do every day. We have dedicated information security people constantly looking for new ways to strengthen and extend our defenses. We have development staff who get hammered if they bring in weak solutions, so they've learned to do the right thing. We have the aforementioned sensitivity to fraud.
We do know what we are doing. :-)