A bigger fiasco I cannot imagine. No, actually I could, but I don't want to.

Feb 2007 - Government admits 80 passports are lost in the post every month (I have recently been asked to post my actual passport to the Driver's Licencing Authority, I am so looking forward to that).

Nov 2007 - Her Majesty's Revenue and Customs (basicly the customs and tax offices combined) had lost CDs containing personal data, with all information on all British families with children under the age of 16 (around 25 million people). HMRC then sent out apology letters that also contained sensitive personal information. The boss of the HM Revenue and Customs has admitted there have been seven other significant data losses in recent years. Sophos conducted a poll of 350 in which 58% of the responses were; "Inevitable".

Dec 2007 - The Transport Secretary admitted that the details of three million learner drivers had gone missing when a hard drive was lost in Iowa (raising the question... what was UK drivers info doing in Iowa?).

Dec 2007 - CDs with personal information on thousands of benefit claimants were found at the home of a former contractor to the Department of Work and Pensions (that's right... A contractor!).

Dec 2007 - The names, dates of birth and national insurance numbers of 45,000 people claiming benefits in west Yorkshire were lost by the Government.

Dec 2007 - Department of Health has said that data losses were being dealt with individually by the relevant trusts (hospital management) and that it therefore did not have details of how many patients' records were lost, City and Hackney Primary Care Trust, in east London - has reportedly lost the details of 160,000 children

Jan 2008 - Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information.

I could go on but I think you get the idea. I am so longing to return home to Australia where the worst I have to worry about is a slack security system... Over here they seem to just give out unencrypted laptops/discs, brimming with citizen's personal information, to that bloke outside who wears his underpants on the outside and hope for the best.

They would require you to answer one of these questions at random times, or anytime you wanted to do something "novel", like add a new bill to your list of bills that you could pay online.

I argued with their phone-support people, and on up the chain to an assistant-to-the-assistant-security-manager, none of whom seemed to have the first understanding of computer security.

I switched banks -- chequing, savings, investments, everything -- and left them. The manager of my local branch was very understanding, but powerless to do anything about the policy.

The commonwealth bank has slightly better two factor auth. They make my log in with a userid and password to do all my online banking. Then they have my mobile number on file and SMS me a one time use token each time I want to change details or add a new transfer destination. This verifies that I have my phone. So I know something AND I have something, that's two factor auth.

There is still the possibility of MITM attacks but it requires more work for the attacker.

thedailywtf.com had a whinge on this a while back:
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx

One of the pages in the web-based section (which looks nothing like the final PDF) asks you to enter your email address in a textbox, with the note "Please print clearly in block capitals only" alongside. Well, I typed as clearly as I could...

Once I logged in a few days later to check the progress of my application, I noticed my email address had been OCR'd as m1ke@nw.com.aw - so apparently my typing wasn't as clear as I'd thought.