This shouldn’t be the least bit surprising, but it’s downright humiliating how bad our security habits are with our top financial institutions when you take a look at large criminal enterprises. If fraudsters and entry-level terrorists can be bothered to use robust authentication security, why can’t the good guys?

“If you are a seller on Alphabay — a darkweb site that sells ‘drugs, stolen data and hacking tools,’ you’ll have to use two-factor authentication (based on PGP/GPG) for all your logins,” said the depressing story in BoingBoing. “Alphabay requires you to use a unique seven-word phrase to recover passwords (as opposed to easily researched questions like high-school football team, mother’s maiden name, etc), and says there is no way to recover a lost password without this phrase. Finally, Alphabay requires a four-digit PIN to transfer bitcoin to your personal wallet.”

The point of the piece is that criminal sites—precisely because they don’t have the protection of law enforcement—are often targeted in phishing attacks. But the point of our piece is that crooks and terrorists are as lazy and work-averse as any of us. And yet their customers seem quite willing to engage in routine authentication processes. Tell me again why every financial player can’t?