I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
This is a social engineering attack. As long as you can convince the user to cooperate, you can subvert technological counter-measures. When you add the ability to subvert the communication device (computer, telephone, etc) it gets even more interesting. The scam may even occur in multiple parts using different forms of communication (email, web, fax, phone, mail) for different parts of the scam. Yes, it is possible to subvert smartcards, one-time hardware tokens (securid), biometrics, etc. They are not just academic attacks, they have been successfully attacked in the wild. Brute force isn't needed when you can subvert other parts of the system, which includes the human. Scams also use other mediums. Here is an example: http://www.fincen.gov/stoporder.pdf