Google too naive? The banks' too paranoid? I'd say neither.

It's common sense really. The google code serves no purpose other than to confirm that piece of paper arrived at your address.

Actual physical credit cards are also sent by mail and can be intercepted. A PIN and card may be sent out within a few days of each other. Very often the card arrives in a normal envelope, allowing the possibility of it being intercepted, cloned then resealed and the original sent to the cardholder.

I'd say the banks' extra security of not allowing the PIN to be seen unless the envelope is opened serves two purposes:

1. It gives a perception of being security conscious.

2. It prevents a card from being intercepted, cloned, then a PIN being viewed through an envelope. If the PIN arrived without any signs of being compromised the cardholder could activate their credit card (if this needs to be done) which would allow the fraudster to go on a spending spree with their cloned copy.

Yes a hardware token delivered by FedEx requiring a signature as proof of delivery, with passwords automatically changing every few seconds would be utlimate solution. But it' s also too expensive.

bad things about Google and come up with dumb s**t instead.

Better go back selling kebabs at the local market instead of writing useless articles.