Ignoring the whole pain in the ass this will be for their customers—at what point does this become a tragedy of the commons failure? Actually, I don’t know the case-law on this sort of stuff. If your bank authenticates using credentials that are generally publicly known by black-hats for most people—stuff like your social security number and some random bits of trivia (mothers maiden name)—shouldn’t they be responsible for any breaches?