The main problem here is the banks relying on an untrusted device as second factor.

Only immutable devices should be allowed as second factor.