This chapter is based on a consulting engagement I performed a couple of years ago for a large international bank. They had never conducted this kind of pen test before, but I'd done a lot of other testing for them in the past so we had a sit-down to talk about what would be a good approach.
A bank has money. It's kind of the motherlode. Money is not only the asset to be protected but the resource that makes that protection possible. Banks prioritize security at every step, in a way that other organizations simply cannot: every build change in any technology, be it a web or mobile application, is reviewed both as a penetration test and a line-by-line code review. Every IP of every external connection is subjected to penetration testing once a year.
What Might Work?
Most users won't have web-to-desktop access and those who do will find it heavily restricted—a VBA macro might make it into a target's inbox but will probably be blocked or the attachment will be deleted by policy regardless of AV hits. A signed Java applet might run in a target's browser but more likely it will be considered a banned technology and blocked at the web proxy. Physical access to the facilities is heavily restricted, and every person in or out will need an electronic access badge. Physical access control only permits one person through at a time with ground sensors capable of determining if more than one individual is trying to enter on a single badge.