This afternoon I've just been dealing with my bank, the Student Finance Direct call-in line and a few other bureaucracies and I have come to a rather saddening conclusion: they all fail at security. 
Huge chunks of the data which is used for validation is actually public, and not exactly difficult to piece together. Let's run through a few of them.
Date of birth: Student Finance Direct uses the day and month of a person's date of birth as a default PIN, which means people won't change it. This information is widely distributed. A person's friends and family will know their date of birth, or at least they will know what day and month it is, even if they don't know the year. It seems almost half of my Facebook friends have their full date of birth prominently displayed on their profiles.
Student Finance Direct also uses National Insurance numbers which are sent through the post. Not only are they sent through the post, but they are basically public in as much as every time you work for a company, they are given to that company in order so that National Insurance contributions can be paid. Whenever you apply for any kind of means-tested financial support, your NI number gets distributed with it.
My bank has a set of useless security questions: firstly, it has parental first names. These are listed on one's birth certificate, which can be obtained from the Register of Births, Marriages and Deaths very easily. This is now queryable online through services like Ancestry.co.uk for a small monthly fee. There are also numerous online genealogy communities where this information is shared quite publicly.
Another question my bank asks is my first school. I mean, who would ever know that? Oh, only a hundred odd other people who went to the same school as me. Not to mention anyone with a damn FriendsReunited account, or who I list as a friend on Facebook. My educational background is also probably listed on a few other social networking services like LinkedIn. We are all collectively relying on Robert Scoble not getting hacked to protect our privacy. I just checked Facebook - I've got 169 friends on there, which consists of a mixture of school and university friends, and a lot of friends from conferences, BarCamps, fellow bloggers and so on. Just got to have faith none of them are trying to break their way into my bank accounts (hint: I wouldn't bother, I'm a student).
Schools are also a really bad string to choose for people in the United Kingdom. A great many schools in this country are church schools, often named after saints. "St. John's" could quite easily be "St John's", "St Johns", "Saint Johns", "Saint John's", "St.John's", "St.John" or a few other combinations of punctuation. And is it "St. John's Catholic Primary School", "St. John's Roman Catholic Primary School", "St. John's School", "St. John's Primary School", "St. John's Roman Catholic Primary" and so on. Add in to the mix that the last time most of us had meaningful interaction with our primary schools was when we were trading Pogs in the playground, it's hardly a recipe for reliable memories. But if you don't get every single character right, you get locked out of your account.
My place of birth isn't exactly private either. That's on the Births, Marriages and Deaths register. And once you find my entry in the BMD, it doesn't take much work to figure out my mother's maiden name, since you can cross reference my parents from my birth listing to their marriage listing.
All this stuff is just cargo cult security. You see everyone else is doing it, so you copy. And, well, when you next login to your bank's online service, you get this warm feeling that, well, nobody else could possibly get through this security procedure.
It's not like it's difficult to do this stuff properly. You can quite easily request that I send you verifications that have been signed digitally. I guard my GPG and SSH private keys very carefully. Why not do certificate-based authentication? And when they issue the certificate, they phone you up to confirm you want that certificate created. There, problem solved. For the customers who have got GPG, there's no need to send them anything by post. We've got e-mail, and we've got a GPG key. You could sign it if you really want to. I mean, I come into the bank, the bank manager checks that I am who I say I am, then signs my GPG key. And his GPG key would be signed by the bank.
The sort of security measures I go to? Well, if I walk away from my computer - even in an empty house to walk down the corridor - I hit a key combo to lock the computer and all my keychains. It's now almost a reflex action - I stand up, computer gets locked. Before I put the machine to sleep, I lock. I'm not quite as paranoid about security as this guy, but his is the sort of thing you should aim for. That said, my data is now out there. It's on my blog, on Facebook and a few other places. So, when designing security, you need to do it properly rather than relying on my personal data being obscure. Because, these days, it's public. I'm not to blame for not being a hermit, you are to blame for presuming people don't exist in a community.
Due to the security cargo cult at my bank, I'm having to wait a week before I can transfer any money to or from one of my accounts. Well, having screwed me around for the last time, I'm going to make one final withdrawal. No more. Can someone please recommend me a UK bank that has a security policy that is actually designed by someone competent?
