First of all they use a totally webbased solution. You don't have to use a smartcard reader or install a software on your computer to secure the authentification. You just have to type in your password and some codes (looks like the token system used elsewhere) and that's all folks. This is not at all the best solution. You should have something (secure) that you can't have as easily online.
During the hearings in the Parliament, Luc Beirens our Digital Crime Supercop said that "Belgian banks were safe because they were using a two-level authentificatio" method with smartcards and readers and that for example Brazilian banks were only online passwords were used were much less safer and that people were losing more money that they were earning."
But some Belgian banks and authentification methods aren't much better. Maybe instead of saying all the time that everything is safe and that people who want to test before trust are scaremongers that should be silenced, one should reinforce the audits and obligations before.
Secondly I could copy all the code and the images from the login page.
Thirdly If I would like to buy a name that looks more or less the same, I could do so because dns.be has been so kind to sell http://www.bpobanking.be/ (the official site is bpo-banking.be) to a speculator who is ready to sell it to anyone. This is even against the Belgian law on domainnames. It is obviously been sold to be sold without any legal rights to it. It is even against the rules of DNS.Be but those aren't really controlled and enforced. Or it strongly looks this way.