The cynic in me says, "What are the bank's goals with their approach to security?"<p>The 3D Secure stuff (Verified by Visa/MasterCard SecureCode) -- as commonly implemented, anyway -- seems to be directed towards transferring liability for fraudulent transactions away from the banks towards the merchants without actually doing anything to increase security. VbV/MCSC pretty much trains users to accept man-in-the-middle attacks by asking users to provide a password to an iframe served from a totally unrelated domain (arcot.com for HSBC UK currently, and securesuite.co.uk previously if memory serves). If a merchant -- or an attacker between the user and the merchant -- MITMs the VbV flow, how will the user be able to tell?<p>HSBC (in the UK) have recently given me a physical token for my personal internet banking service, which is used to both log in to their service and to authenticate specific transactions. This is a bit of an inconvenience -- I can't log in to my bank account with just the credentials stored in my grey matter any more -- but a great big step in the right direction. Now, if only they could apply this to their VbV/MCSC authentication too, or allow me to use my phone as the physical token instead of having another bit of plastic to carry in my wallet...<p>If my email or Facebook account is ever compromised, I'll be very unhappy -- I have a fair amount of private, personal information in both locations. If my bank account or credit cards are ever compromised, I'll consider it a more-or-less inevitable consequence of the way the system is designed and simply something to be accepted... but I really don't relish convincing the bank of this!
It is probably worth noting that NatWest will lock your account on 3 unsuccessful login attempts with pin + password + customer-number so brute forcing a password would be tricky.<p>They also require a card reader and a physical card to confirm any transactions involving transferring money. - They generate a confirmation code that you enter into the card reader (along with you card pin that is different to your online banking pin). The card reader then generates a confirmation token that authorises the transaction.<p>As the article points out they ask for 3 characters from the password rather than the whole password itself, which when combined with a login attempt limit of 3 helps mitigate the problems of keyloggers on the users' machines. This would be harder to implement with longer passwords and more confusing for users "Please enter character 61 of your password".
I've seen banks do this before - and I think that some banks in some places use drop-downs rather than having you type characters. That's one reason I can see for the restricting the type of character so, so the drop-down is more sensible...