And how about those security issues alluded to in the announcement yesterday. I hope they just dumbed it down for PR, but it sounded like the solution was to reduce the session timeout. I don't see how that fixes anything, because it looked like it was allowing access to accounts without validating the session/auth cookie on the server side. Either way it doesn't speak well for their development and QA practices not to mention deposit security (#6 in the OP).
Agreed. It should've involved more than just session-timeouts. Changing IP should've broken the trust-chain as well as a number of other factors. Transferring ownership should've reset "all" session-cookies ...
Best practices -- they're all out there, but greed prevents the necessary on-going research.