But I'm sure they have some sort of lockout after 3 or so tries, right?

(Unfortunately, this reads just as valid sarcastically as seriously).

This is great when the bank only has a few hundred accounts. Sure, it is unlikely to guess a single individual, but a thief probably doesn't care who they steal from.

I would think you would either NOT use online banking or find another bank.

Ah. You may want to double check that:

http://www.bmo.com/home/about/banking/privacy-security/prote...

Maybe your the victim of a Phishing attack or something, for example maybe a fake site told you you had to use 4 digits.

Honestly I've heard of a lot worse then this:

http://www.bmo.com/home/about/banking/privacy-security/how-w...

I just called my bank, to double check, and now 6 character passwords, letters and numbers are allowed, a truly massive improvement!

What i dont understand is now all bank cards in Canada have a smartcard embedded, why cant they just hand out $5 card readers and use that for ebanking, every major browser and OS supports this stuff right out of the box.

The weakness of a four character password can be mitigated somewhat by locking your account or an IP after a few failed attempts.

If you lock the account, you allow a trivial DoS. If you lock the IP, anyone with a botnet can trivially work around it. And with enough accounts, you can just scan the entire space of (possible) accounts for anyone with a particular PIN.

Every bank I have used will lock the account after a small number of failed attempts; sure it's a DoS, but that's the price you pay. You are right about the botnet work around, but if you have one you can just watch people logging in without needing to brute force anything! The real problem for people who break into bank accounts is where to transfer / spend the money that can't be traced.