There are lots of questions and there are a number of possible answers.  I would have your friend research Social Engineering and Phishing.  But here is the question, why are you researching and not yoru friend?  For a book such as this to be successful, he would best partner up with a security pro who may specialize in financial security environments. 

Sorry I can't be more help.

I'd tell them to read these at a minimum:
http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454280X/ref=sr_1_2?ie=UTF8&qid=1324396072&sr=8-2

http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661/ref=sr_1_3?ie=UTF8&qid=1324396072&sr=8-3

He has a relatively new book out, but I haven't had a chance to read it yet.

That's going to answer a lot of those questions. I don't think they're in a place to understand anything more technical. If they do, they should check out the Stealing the Network series: http://www.amazon.com/Stealing-Network-Complete-Collectors-Chapter/dp/159749299X/ref=sr_1_2?s=books&ie=UTF8&qid=1324396407&sr=1-2

It really depends on how technically accurate they want to be. Things like CSI can be extremely popular but are nowhere near technically accurate. The general public doesn't know any better, so how amount of effort they want to invest in this really depends on their market and personal goals. When in doubt, just say the attackers, "buffer-overflowed the server's firewall," and 99.9% of the public would be impressed.

Hey Svxx,

Welcome aboard. I'll try to offer some light in having a take at the questions! Though I'm not offering all solutions here I want to throw out a few the bad guys would use here in the real world.
1) Definitely possible. Attacks happen all the time anywhere. It all comes down to your targets' security they have implemented but even then, the attackers will always find a way in.

2) Assuming there's an insider, this can contribute a lot to pulling off a successful attack. The insider could provide a listing of the software they run on the banks machines, which could possibly aid in Client-Side Attacks. He could gather up other inside information on employees if needed, he would be able to map out the Network Topology, and this insider could even be used to pull off physical attacks.

3) Being good guys and being given permission to perform audits, I'm not too sure how many of us focus on being, 'untraceable' as much as we try to go un-noticed by IDS/IPS solutions out there. We don't want to send up a red flag. To carry out this type of a scam and attempt to try to be untraceable, an attacker could attempt to compromise a list of target machines and utilize those to pull off the attack. Of course, attacking from a public wifi spot or breaking into a protected network and hacking from that are what bad guys do also. Proxies and proxy-chaining are also useful here. I would imagine these put into use big time when carrying out illegal activity.

4) The attacker could get a hold of the local password hashes on the banking systems and take them offline and attempt to crack them with 3rd party tools. 3xban mentioned phishing, which is another common route attackers use to harvest passwords. These all play a big role. The common process mainly depends on if your doing offline/online password cracking. Will the attacker be attempting a dictionary attack on the ssh or ftp service? A valid username will need to be known. The accomplice could assist in gathering valid usernames of the target infrastructure. If it's offline password cracking, 3rd party tools could be used as mentioned.

5) Hardware key loggers definitely come to mind here. Especially when dealing with obtaining passwords and all sorts of other juicy information. As far as software goes, that could be risky depending on the environment - policies are put in place to attempt to not allow employees from installing software, etc. If the accomplice was able to get a backdoor onto his workstation and let the attacker in and this was discovered, it could be suspected that the accomplice was involved. The accomplice serving as an insider role in the organization could leverage it to the attackers end if an e-mail containing a link to pull off a client-side attack, and the accomplice would be the one to click it to get the attacker on to the network. Of course there's alternatives here.

6) I would say just being an employee would be enough. Of course if the accomplice is one of the IT guys and had more access than the standard employee this would help.

The books dynamik provided will help out. Be sure to give them a read! Good luck with the book.

Thanks a lot y'all. Mailing all this....keep firing if there's more!  

@Kris : That deluge of information was extremely helpful! Thanks.
@3xban : Good old phishing and social engineering, plus movies on hacking and caution not to rip other authors off - check! Thanks.

Herp and derp xD

Ross Anderson also wrote about banking security in his book Security Engineering.  The banking chapter is available online:

http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c10.pdf