secure system
how about a simple device with a radio in it, we'll call it a "BankSafe" to please the marketing guys
when you log in to your bank account you just enter your username/accounts number then get a (constantly refreshing) "Please use your BankSafe to verify your identity" page. you pick up your "BankSafe" device, on the screen is a message "Are you trying to log on to online banking using <your ISP>?" you enter a PIN and "confirm". you want to transfer your life savings to someone you get a message "Please use your BankSafe to verify this transaction", you pick it up, on the screen is "Do you wish to transfer £50,000,000 to John Smith?", you enter your PIN and press "confirm". Of course an extendable system would be open to currently unknown future uses (allow the bank to specify custom messages for confirmation).
This could then be extended to your debit card transactions, the delay need not be more than a couple of seconds, so you put your card in like you currently do, wait 2 seconds, then instead of entering your PIN in to the shops machine you enter it in to the "BankSafe" device, press confirm, 2 seconds later the cashier gets a "payment confirmed" back from the bank and trasaction is complete, the same as the current system - with the difference that you enter your PIN in to your own machine, rather than having to trust the machines in every single shop (it's also not fixed in to a location on the checkout where the people around you can see you entering it!). of course you could use RFID as well then so no need to put a card in to the machine, merely take the device out of your pocket, enter PIN, payment made.
The only issue with this system would be radio coverage, however the bandwidth requirement is rather low and would mostly consist of encryption overhead, a low data rate network would be fine for this so would not need more than a few dozen masts to provide acceptable coverage of peoples homes, and for in-shop coverage, the shop has a low power transmitter in it (a small change to the hardware of the credit card machines in use today, to include the RFID reader and the "BankSafe" transmitter - it is already linked to the bank for transactions anyway)
Naturally communications are done using a secure form of encryption, bank sends messages encrypted with your public key and its private key (so you can verify its identity from its public key, and only you can decode it with your private key) and the same in reverse.
The only potential problem I can think of with such a system is online banking from a house outside of the coverage area, but it could have a failure mode that is less convenient but where you can enter a code given by the banks website and it will then give you the relevant confirmation code to give to the banks website.
The inconvenience of carrying the device around would not be a problem if it became universally adopted, as you would soon find mobile phones including "built in BankSafe support" so you can give your bank your phones certificate and you can then authenticate transactions using your phone which most carry with them anyway. and a standard fitting on the top of the checkout machines that you can rest the device in to power it would sort out flat battery problems (battery flat, just plug in to their machine for power, authenticate the transaction, then remove).
Such a system would of course work with multiple bank accounts with a single device, assuming they all used the same standard compatible system and allowed you to register your own device, rather than each sending you a separate device and insisting you use that.
Anyone see any problems with such a system?
Biting the hand that feeds IT
