Security Charlatans

One of my banks (for various reasons I bank at several places) has instituted their new "ultra-secure two-factor authentication system." Sigh. I'd love to find out who actually designed and sold them the system, so I could publicly humiliate them by name ...

...because it isn't "ultra-secure" nor is it really two-factor. One factor twice is NOT the same as two-factor. The idiot(s) that purchased this new system for the bank should have done some basic research.
For those who aren't certain what I'm talking about, either check wikipedia or listen up (although I'm telling you the same thing, just simplified) -- there are 3 common "factors" that you can authenticate someone by.

• Something you KNOW -- like a password, a pin number, your SSN, a special hand-shake, or which picture is a kitten
• Something you HAVE -- a random number generator, a CAC, an embedded RFID tag, or a physical key (preferably something difficult to duplicate)
  
• Something you ARE -- your DNA, retinal scan, fingerprint, voice, etc.

If you have a system where the user has to enter a password and then another password, no matter how tricky you are (even if the 2nd password is entered by pushing randomly jumbled buttons on-screen instead of typed), it is still ONLY a single-factor system. Is it stronger than a single password? Sure... but I don't care how many passwords or pin numbers you make someone enter...

There is no multiple of single factors that is as secure as a single multiple factor.

The other part of their security? They set a cookie on your machine. *THAT's* their multi-factor ultra-secure system... TWO PASSWORDS AND A COOKIE? Yikes. And the very best part? If you don't have the super-special cookie because you're hacking logging in from somewhere else? You can just tell them to ignore it and let you in anyway. Sigh, again.
My task now is to find a financial institution that uses honest-to-goodness multi-factor. So far all I can find is Paypal.