I believe phishing 2.0 threats requires banks to adopt new countermeasures. One of the reasons is, as you rightly pointed out in the article, that previous countermeasures were designed to fight phishing 1.0 and were adopted at least by US banks to mostly buy a checkmark from FFIEC auditors. By the end of 2006, most of banks in the USA adopted RSA MFA technologies such as SiteKey and Cyota that are now ill designed to fight phishing 2.0 since are based on IP geolocation and device fingerprinting that can be spoofed via web proxies, and MiTMable challenge answer questions and same channel delivery of OTPs.

The question is than how to fight this new threat? In general I think there is a need of application security awareness on new phishing 2.0 threats, MiTM attacks as well as understanding of the sophistication of the attacking tools being used (e.g. RBN crimeware tools such as rockphish, storm, asprox).

For a change, I think current phishing 1.0 technologies need to be criticized at CIO level also in terms of total cost of ownership vs. benefit to mitigate fraud. The current industry trend as I see it, is to mitigate phishing 2.0 with a defense in depth approach (client and application) that practically means 1) EVs certificates and promoting AV, AS for clients, 2) adding new MFA controls and 3) updated fraud networks.

The problem in my opinion is that the security industry lack honest validation in the claimed effectiveness of new countermeasures for phishing 2.0 with real objective data. Ideally financial regulatory bodies (e.g. FFIEC, OCC) also need to come with a new requirements. MFA vendors need to make both the security and the cost vs benefit cases for phishing 2.0. The most known solutions such as PKI (e.g. TriCipher), chip ID fingerprinting (e.g. Broadcom USH/Verdasys Sitetrust), client sandboxing (e.g. Trusteer) lack these data. You have a good mitigation case for mitigations but what about cost vs benefit?