It's really nice see that some banks and sites have good policies. But most of sites and banks got absolutely horribly bad security. Afaik, that's one of the best ones I have seen this far.
It's especially important that part of target account is used to generate authentication verification key. Because using static or non-content sensitive confirmation codes is useless.
Exactly - because all of those solutions do not take into the account the possible active keylogger which might interfere with the "authentication code". In fact I think here in Belgium there was an incident where chunks of money were stolen from people.
I see what one of the commenters mentioned about the "extra gadget" - but I usually make internet payments at home - so no need to drag this gadget really. Plus, in theory I can use my friends' one - the gadgets are absolutely identical; the "something I have" part is on the card itself, which is in my wallet.
It's especially important that part of target account is used to generate authentication verification key. Because using static or non-content sensitive confirmation codes is useless.