To be honest, even business banking security token has been hacked. So now the bank gives me physical device to go along with the physical token where you need the device plugged in to your PC to log into the account AND THEN enter the one time password from the token. Which probably will be hacked in the near future as well.
Back in school, one of my teachers said that the safest computer would be one not connected to any network, locked in a vault, and under constant armed guard... even then he'd not guarantee it. Basically, if someone wants something badly enough, they will get it. However, expiring sessions or denying a session once its IP changes are very rudimentary elements of security. Neither is all that hard, and the latter should be an absolute no brainer. "What, the client suddenly shifted IP ranges from a NA address to one in China? Oh who cares." That's.... very bad. **** Facebook won't let you do that, it will make you jump through hoops to login on a non-recognized device from another IP range, and it alerts the user that all this is happening. I'd hope that a service I am paying for would do at least that.