Bank shopping

• When you sign in to the secure portion of the site, a new browser window opens with the address bar hidden. Some sleuthing shows that it's a third-party secure site. The site has changed at least once since I opened the account, so I'm never quite sure I've been the victim of a man-in-the-middle attack, and I have no practical way to confirm it. This is akin to going to your local bank to deposit your paycheck, and your teller says, "There's a very well-dressed man out in the alley with a yellow carnation on his lapel. He works for us, though if you ask him for ID he won't be able to prove it. Please give him your paycheck. Don't worry, we're sure you'll recognize him!"
  This is a nice setup for an attacker because you don't even have to spam people with a phishing scam email. Just set up your fake Everbank site by copying all the HTML from the real site, poison a DNS server to redirect everbank.com to your server, then sit back and wait for people to log in to your site. Everbank has already trained its customers to ignore basic security mechanisms by hiding the secure domain and changing it from time to time, so nobody will question that it's suddenly changed to https://stealyourmoney.ru/.
• For a while the site was forcing me to change my password about once a month. This was tedious because I had to communicate the password change to my wife, and if she ever tried to sign in between the change and my notification, she'd be locked out. I'm sure that the frequency of password changes encouraged people to pick trivially differing sequences of new passwords, such as password1, password2, password3, etc. I called to complain and they said it should happen only once every six months. Since then I haven't been forced to change.
• Recently the site implemented a mandatory "lost password" feature. It's a frighteningly insecure series of guessable questions, such as favorite food or favorite sports team, or easily researched questions, such as birthplace. (Actually, favorite sports team is both guessable and researchable, since there aren't very many teams in the world, and it's likely to be a major league team near your home.) I did a back-of-the-envelope calculation and concluded that an attacker would be likely to change your password, following brief research, after seven guesses (max 15). I ended up creating a set of gibberish strings, but I was frustrated that my bank designed a system that requires me to misuse it in order to protect my own security.

Today, however, was the last straw. Some time in late October we received a call, presumably from Everbank, saying that a bunch of their credit card numbers had been compromised and they needed to reissue us a new card. This wasn't a surprise to me given what I'd seen at their website, but oh well. But this morning I finally called to find out why we hadn't gotten the new card, and they said they don't think they ever sent it! That goes beyond bad security; it's plain old bad customer support. (Incidentally, I asked whether they should cancel the new card in case they did send it but it was lost in the mail, and the customer service rep said no, she was pretty sure we'd be OK. Grrrreat.)

Here are the things I'm looking for in my new bank:

• Standard security: HTTPS at a recognizable domain, a requirement to go through an act of Congress to reset your password, etc.
• Individual logins for each joint account holder. Theoretically this increases the number of opportunities to guess a password, but it eliminates the need for Mary and me to communicate the shared password to each other, which in my mind is a far greater risk.
• All the usual cheapo bank stuff -- free checking, etc.
• Good integration of credit card and checking accounts. Everbank did a good job in this area.

Any suggestions?