Can we start by teaching Noddy level security to banks
1) I can have some confidence that https://halifax.co.uk/ is my bank. Anything like https://halifax-online.co.uk/ requires additional scrutiny, but that is exactly what they have done.
2) I can reduce the attack surface by disabling javascript, flash and java while shopping, but the few sites I found that did not require javascript now do.
3) I actually found a new site that did not require javascript. After I confirmed the order, I had to enable javascript to get to a verify by visa page. That page was from a third party site I had never heard of, so I assumed I had a secure connection to a phishing site.
Please can we cancel all banker's bonuses until they fix these basic security disasters. (What I suspect will happen is we will get some tax-payer funded adverts saying that only software with a Microsoft logo is secure, and a law requiring that all software used by the government must have that logo.)