This seems pretty common with a lot of banks. I've got accounts with several high street UK banks and almost all of them have some kind of reliance on SMS, maximum password requirements (like 10 letters with no symbols) or 'secret words' where you have to pick a few choice letters from an word which is presumably kept in plain text.
I can only assume they are relying more on legal recourse and insurance than data security experts and I assume that if a hack did happen I would be reimbursed but it's a bit of a worry.
With Barclays you can rely soley on the card reader and disable login using "memorable data". Lots of other banks in the UK offer card readers (of the top of my head, Barclays, Nationwide, Natwest).
I can only assume they are relying more on legal recourse and insurance than data security experts and I assume that if a hack did happen I would be reimbursed but it's a bit of a worry.