This isn't akin to waving a gun at a teller.
This is akin to handing the teller a huge stack of withdraw forms with random account numbers on them, and the teller dutifully checking each one, ignoring the ones with invalid numbers (most of them), and handing over the account contents for all the valid ones. This doesn't work, because the teller acts as security: if something is amiss in the implied security checks, to wit there is no reason one person should be submitting requests regarding lots of account numbers esp. when most of them are invalid; she'll have alerted management & security within seconds of seeing the bizarre request.
Your subsequent analogy/justification/complaint is only valid if ONE doctored URL were used. My bank, Chase, does in fact implement security against such a "lots of random account numbers" attack: not only must the account match, but the MAC/IP address, browser/cookie, and other under-the-hood identifiers must line up; any mismatch between account number and access tools initiates emailing or texting a verification code to a known address/phone, which then must be submitted to close the loop of verification and, only then, allow access. Not running some kind of "one account per access device" sanity check is insane.
It's not about one rivet being out of place - such vulnerabilities are understandable.
It's about having an uncovered vent lead straight to the reactor core - that's stupid.
> Not running some kind of "one account per access device" sanity check is insane
So I would need different accounts for my personal computer, my laptop, office computer and the computers of my parents? I regularly work on all of those.
It's a sanity check, not an absolute limitation. My bank DOES (as I detailed) require positive-feedback verification that any attempt to use more than "one account per access device" is in fact authorized by the account holder. Any time I use a new access device, they email/text to a known address/phone a verification code which I must feed back before the login proceeds. The sanity check is: if the account is being accessed from a device not used before, the legitimacy is suspect until confirmed.
This in contrast to the lead story, where some 200,000 accounts were accessed from a very small number of computers clearly not authorized by the account holders - achieved because not even a basic sanity check was performed. Heck, the servers didn't even notice that no login process was performed for the accounts, much less track which devices the account holders tended to use.
I think you're missing the point (or I'm inferring it incorrectly), that, put simply, there is a cost associated with implementing the security measure (both to build it and the inconvenience to customers) which in some cases outweighs the potential cost of the exploit.
Of course cost/benefit ratios should be considered. Not much point to debating that when it's obvious they weren't.
The lock on the front door was good, but the only thing that protected the bank until now was that nobody tried the windows & safes on the assumption that they would, in fact, be locked.
That's not weighing costs, that's being criminally negligent.
Your subsequent analogy/justification/complaint is only valid if ONE doctored URL were used. My bank, Chase, does in fact implement security against such a "lots of random account numbers" attack: not only must the account match, but the MAC/IP address, browser/cookie, and other under-the-hood identifiers must line up; any mismatch between account number and access tools initiates emailing or texting a verification code to a known address/phone, which then must be submitted to close the loop of verification and, only then, allow access. Not running some kind of "one account per access device" sanity check is insane.
It's not about one rivet being out of place - such vulnerabilities are understandable. It's about having an uncovered vent lead straight to the reactor core - that's stupid.