[LinuxBender]

The bank will only do what regulations require them to do. No money will be spent beyond that.

One potential path might be to find a report from the FBI that discusses the financial risks to the banks. Contact the investors of that bank and the government entities that are required to insure the bank and the parent company of the bank. Start the discussion with them about amending and enhancing existing regulatory requirements. Ensure they do not see this as a cost item but only as a marketing benefit to the bank. Depending on how deep you want to go down this rabbit hole, you could start a fund raising effort to get lobbyists to also speak to those investors and governmental insuring entities. Research if additional mitigating controls might lower their insurance costs. Maybe also encourage the banks or parent companies to partner with a set of MFA vendors so they can distribute bank branded tokens that only work with their banks. Sub-optimal, but it might encourage them as they would see it as bank lock-in. Doesn't really affect end users if all the banks do it. See if you can also get a congress member to talk to the insuring bodies.

If that doesn't work, get famous people to tweet about it and link to your initiative site that describes the risks and benefits. Public pressure sometimes works.

I should add that if you get traction on this, there should be a way for people to opt-out of this and use SMS if they want to. Just require the banks to give them scary worded things that make them double-opt-in to using SMS.