[jeltz]

There is no reason for banks to have any security questions at all, or even passwords. They can mail security tokens to all their customers and rely on the postal office validating the identity of the customer. And if the security token breaks or is lost they can just mail a new one.

This is what all or virtually all Swedish banks do.

Only websites where the users need instant access or you have a low profit per user cannot afford security tokens. Banks are obviously not included here.

[ams6110]

My bank (a credit union actually) requires you to come in to a branch office during normal business hours if you need to get your password or ATM PIN number changed, or if you've tried the wrong password too many times and locked your account.

They also use two-factor auth on logins from new computers (or when you've cleared your cookies).

[makomk]

No, they can't rely on the post office. The workers there aren't paid that well, after all, and some of them would probably be quite happy to take money on the side to make a few security tokens disappear into the hands of a fraudster.

[wonderzombie]

They already send credit and debit cards in the mail. Is this substantively different? Do we have widespread problems of postal workers stealing credit or debit cards? What's in place to prevent that, and why couldn't the banks use similar measures with an OTP device?