Over here some banks issue customers a password token device that uses a
combination of your card, a number sent by the web site and a PIN to
generate a one-time password. It seems a reasonable system, and isn't
really new technology. However, while bank web site security may be
on-topic for other lists I suspect it's wandering off-topic for NANOG.
Regular type "fake site" phishing is going to be with us for a long time
yet but several of the organized crime groups involved are hard at work at
released Trojan horses using root kit technology daily, which basically
steals your credentials to every HTTPS site you enter, and reports home.
How do banks, ISP's, or whoever else defend from the roblem moving to the
user-side? That is a very interesting question indeed. :)