Quick rant and shout out to the financial services industry. Obviously there's no shortage of stories of online banking fraud. Thanks to great sites like Brian Krebs, we're seeing trends of banks go after their customers to recover stolen funds, unreasonable recommendations like use a different computer (thanks Pescatore), and possibly some selective disclosure on the problem.
We all know financial institutions track their fraud and tolerate allowable levels. If finserv doesn't start managing their risks appropriately more victims will lose money and eventually people will pull back from online transactions. That's a lose-lose.
The solutions are there to improve consumer authentication and fraud detection (note: my business doesn't send funds via ACH over seas). Obviously 2-factor authn has never been a silver bullet, but an improved combination of monitoring and verification will allow you to manage your risk vs. blame your customers with poor security.
It's time to pull a page from Bruce Schneier's book and put the liability on the folks with the resources to mitigate the risk. So finserv, please look at the big picture and don't wait for the feds to define a new floor for compliance.
Customer switching costs may not be as high as you think. They weren't for me.
ps. to the relevant banking CISO: if your RACI covers ecomm fraud, what a great opportunity to be a value add, even show a positive ROI.