My bank (NatWest, terrible) told me to never give my information to anyone who calls me and asks for it. Every time they ring they then ask me for my details for 'security purposes'.
Then again, that seems mild now that I've found out they don't keep auditing logs of the changes their employees make to customers' accounts.
There are also lots of cases of online banking being compromised by really basic attacks (such as a CSRF attack that could be used to transfer money to an account of the attacker's choosing).
Banks aren't actually that secure. They merely spend a lot of time engaging in very expensive hand-wavey security theatre to convince us that they are secure - not to mention using expensive laywers and unfair libel law (I am in the UK) to shut up security researchers that find problems. The reason that they are so frequently observed acting contrary to best security practices is because they are not actually particularly good at security.
Financial services generally aren't in the business of security. They're in the business of risk management. Once you understand that distinction, much of what they do makes sense.
Unfortunately, some unhappy conclusions for the customers of these services do logically follow, starting with the fact that if you're not a huge customer, the financial services have little natural incentive to care about the safety of any assets/investments they handle for you. If something very bad happens, you might be an acceptable loss relative to the cost of mitigation, right up to the point of fighting you in court and then losing anyway. You personally might suffer greatly for any losses, and even if it's ultimately put right you might suffer months or years being dragged through the system, but no employee at any financial service is personally going to lose any sleep over your case.
This is why it is necessary to have regulators with teeth in financial industries. Any lapse that could cause significant harm to a customer should also potentially cause significant harm to the financial service. An ongoing pattern of such lapses should cause severe damage to the service's bottom line and eventually it should become an existential threat to the financial service itself, preferably with safeguards to ensure that the management and/or shareholders can't just escape using the technicalities of incorporation. Without this sort of counter-balance, the numbers will always be in favour of trampling on the little guy, and if there's one industry that runs on the numbers more than anything else, it's financial services.
This! Much of what ails common people when they face up to financial institutions in general and banks in particular could be attributed to your observation. I've read substantially over last few years on what's gone wrong with financial institutions and how they should not be autonomous but nothing comes close to the clarity with which you have summarized.
Then again, that seems mild now that I've found out they don't keep auditing logs of the changes their employees make to customers' accounts.
There are also lots of cases of online banking being compromised by really basic attacks (such as a CSRF attack that could be used to transfer money to an account of the attacker's choosing).
Banks aren't actually that secure. They merely spend a lot of time engaging in very expensive hand-wavey security theatre to convince us that they are secure - not to mention using expensive laywers and unfair libel law (I am in the UK) to shut up security researchers that find problems. The reason that they are so frequently observed acting contrary to best security practices is because they are not actually particularly good at security.