Community

In order to efficiently fight against identity fraud, banks  will also have to identify.

USB Tokens, Smart Cards, Biometrics... are excellent one-way authentication tools, but as long as the bank is not identified the customers are not protected against phishing, man-in-the-middle & man-in-the-browser.

Authentication of both parties is the answer.

No need to pay $ when you want to have a basic security.
And most of the users do not even have these basic tools to ensure a safe usage of their computer.

There are tons of good free products out there that would be sufficient for most of the users.

The recommendations of Robert Siciliano are very good and you can follow them without having to pay a dollar for something you do not understand.

Antivirus:
Avast
Avira AntiVir Personal Edition

Firewall:
Comodo
Online Armor

Browser:
Google Chrome is the most secure browser so far.
The sandboxed architecture using the security model of Windows is pretty hard to bypass even for an excellent security expert (white hacker) such as Charlie Miller.
An alternative to it would be Firefox which is the 2nd most secure browser.
And if you want to add another layer to it, you might run it in your own Sandbox model with a software like Sandboxie.

Addware/Spyware/Scumware remover:
SuperAntiSpyware is definitely the best.
MalwareBytes Anti-Malware is a good complimentary tool.

Intrusion Prevention and Detection Utility:
Threatfire is a very good first choice.
DriveSentry has excellent default settings for novice but is also highly configurable for experienced users.

Of course, a regular Windows Update as well as Security Tools updates are more than recommended.

One Time Password are definitely a step we can't avoid in fighting against online fraud. Static password do have this bad habit of being re-usable.

Using a phone app is not a bad idea, now that almost everyone has a phone (at least those who do online banking).

BUT simply adding the OTP layer to the classical user login/password, moreover in the same login page, DOES NOT PROTECT from Man in the middle, Phishing and certainly not against one of the most advanced hacking attacks that is Man in the browser.

I strongly believe in other types of architecture in order to exchange sensitive data or to ensure a secure connection.

The "2 entities" connection has reached its limits.

Being a hacker in nowadays is like being a fisherman in an sea with no water, all targets are apparent and easy to catch.

User are not security experts, and even when they do know a little bit about security, hackers surely do know more.

It is time to think like hackers in order to protect end-users from them.

Advanced architecture in the way data are exchanged is the answer. And more than 2 entities have to be involved.