Yeah, but you typically need other user data to validate their banking. Obviously it's good that people aren't grabbing the data, but lets be honest here: there is still a class of people who don't really know how to protect themselves online etc. Therefore to capture this data is not that hard, you just need to be persistent - stalking their rubbish, having key info etc.