Bingo

If a user is carrying about banking stuff via internet cafes there is NO effective way to secure it. Bringing something like that up is just silly.

> Bingo! Self-signed certificate is exactly right solution. My bank uses "green bar" for normal people, but for large clients (you know, the ones who transfer millions around) they use self-signed certificate. How come?

People that transfer 'millions' around are generally businesses. Financial institutions use insecure FTP connections or SFTP (ssh) with a throw away user account. They don't actually get real Unix accounts with vsftp or openssh most of the time. It's just some Java program that provides support for multiple protocols to suite the purposes of the client.

Actual security is provided through PGP encryption/signing of the files being transfered. The protocols used to transfer the files are not trusted.

If it's 'realtime' style connection they will use things like FIX or FIXML connection on a dedicated data line (or at the least a IPSEC tunnel) were all traffic is logged and monitored.

> All these talks about "side channels" are missing the point: in most cases where fraud may deprive you of sizable sum you already have a "side channel" - you just need to use it.

It would solve the biggest threats to average consumers which are going to be things like Phony websites with fraudulent SSL certs and XSS attacks.

Consumer banking, to put it bluntly, are incompetent at designing website applications. They do a shitty job and can't be trusted.