If you are not certain about the security of your online transactions then its best to simple not do it. Each bank has different security policies, if you don't think your bank is up to par then it would be a good idea to switch banks. My bank uses a one time pin that expires after each session. The pin gets sent to my phone either via a phone call or a text. So even if some one were to get my account info they would need to some how get my phone to get the security pin. If they can manage to get those things then I deserved to get hacked. I don't trust online banking so I really don't use it much. In fact I haven't logged in since I opened the account. I get text messages from my bank telling me my transactions. No account information is sent, just the dollar amounts.

A VM is just as susceptible to malware as any physical computer. You best security is a mix of common sense and a good security policy, i.e long passwords with a mix of upper and lowercase letters, numbers, and if allowed symbols; clearing your history on a regular basis; don't surf any questionable sites; and stay up to date. Always check for ssl connections too!!