Re: prove it
They tried that - by bundling near-obligatory "fraud prevention" windows only software.
HSBC tried that, a few others as well. Forgot what it was called, named after some dog breed.
I tried to point them that they are offering an insecure redirect to an insecure download out of a hijackable non-https page to do that. Not just that, the whole set-up was asking to be abused for phishing or cross-site-scripting attacks. All of these rather simple thoughts could not be parsed by whoever is in charge of that part for them. I also tried to point to them that there is no way in hell you can run that crapware on a Mac or Linux, that did not parse either. Same result - it was like trying to teach a macaque quantum mechanics.
All in all - I did not get very far and after a litany of failures from HSBC security dept I fired them. With great pleasure. Moved my business elsewhere which is marginally better.
The truth is, nearly all management in charge of retail electronic commerce security in a most UK banks is as incompetent as you can find and then some.