When will people learn...
I've maintained a health care spending account over the last year. An outside company manages the account and provides web access to view balance information, spending etc. I have always been frustrated by this site since they require a phone call during business hours in order to reset your password. But hey, it works and isn't too annoying.
After you enter your account number you move to the next "control". The screen asks you to enter a one time password which has been mailed to the email account listed in the account. I went along with things and logged into my email, retrieved the passcode and entered it to the site. But then I got curioius. A quick ctrl+u and I found something that should have died years ago.... The security code which was emailed to my account for "security purposes" was sitting there in a hidden post variable for all to observe.
The moral of this story? If you are going to spend money on security solutions (because we all know how it ends up costing quite a bit of $$ to get anything coded) then make sure the security you are paying for actually works.