Banks use several systems to let their customers log into their internet banking sites. The worst (security wise) by far are the password based systems, very common in the US. Much better are (were!) the one-time password systems, based on scratch cards or electronic tokens, fairly common in Europe. However, the latest phishing expedition launched against the Nordea bank in Sweden showed how trivial it is to get users to scratch those cards and divulge the one-time passwords, making this system no better than regular password systems.
Actually, I’m convinced it’s worse. Most users will have less resistance against giving out a one-time password to a site, since they are convinced it will become unusable after the first try. That’s what the bank told them.
Yet again, bad security proves to be worse than none at all. Especially if it’s touted to be good and isn’t. (Now, I have to add that since no actual case of money being lost has been publicized, that last part is conjecture on my part.)
For more, see The Register.