Fourteen years ago I warned MyBank (which is not one of my clients; I am one of its) about using Social Security numbers as solid identification. The bank's head of security said he would look into it. Since then, the security at MyBank has gone from bad to worse. It's still a recipe for ID theft.

During a recent tele-banking transaction, I was instructed to enter my bank account and Social Security numbers. MyBank's "new and improved" system was using two pieces of publicly available information as proof-positive remote identification. When I confronted MyBank about this, it took 30 days to fix this gaping security hole.

Last month, MyBank assured me its online banking system was fixed. Logon security was decent: a long, secret account number generated by the bank, my federal EIN, a four-digit PIN and no cookies. As a test, I moved money to American Express and paid Al, a member of my staff.

Several days later, Al screams, "Where's my paycheck?" I had proof I sent it. Amex also said it had not been paid. I had proof I paid it. I called MyBank and asked for proof of receipt of funds by Amex and Al's bank, but was told the bank does not use acknowledgements from online transfers. The most disturbing security aspect is that no one at MyBank could tell me where my money was when it was not in my account and not in Amex's or Al's.

Then security at MyBank plummeted to a new low. The reasonable logon security had been shattered, as the long private code was no longer required. Now my publicly available account number and a mere four-digit PIN was the sole defense of any account that sits on the Internet. The obvious attempt to simplify the user experience is a devastating blow to security. An ATM card only requires a four-digit PIN, but it employs the "something you own, something you know," identification mantra. Silly me for expecting better banking security on the Internet.

When I once more attempted to pay my staff, Al was again the victim. His money was snafued in the labyrinth of MyBank's infrastructure. Without my knowledge or approval, a banking employee: (1) cancelled my payment to Al, (2) issued a payment from my account with something called a "forced check" to Al, (3) withdrew a duplicate payment from my account without my authorization and deposited it in Al's account, and (4) cancelled another payment to Al. The net effect of this security transgression was a cascade of bad checks, overdrafts and the freezing of Al's other accounts.