[harshavr]

Some banks display a customer preselected image after the user name & before entering a password. This seems to be a good solution to phishing if one keeps the username private. Otherwise a site could give you the option of using two part passwords.

[URSpider94]

... and a study a while back showed that, if you simply don't show that image, a large majority of users don't notice. For this reason, the whole "sitekey" phenomenon strikes me as a waste of time.

[invisible]

This? http://usablesecurity.org/emperor/ - it is an interesting read.

It should also be noted that it's not even a 25% benefit for them, but it does help security, even if slightly. I think lowering phishing 1% could be massive for any major bank.

[ced]

Isn't this incredibly simple to defeat? The phishing site can send your username to the real bank's website and retrieve the image.

[sagarm]

If you do that, the bank will notice a bunch of connections from the same IP for different usernames.

You could use a botnet to do the lookups, but that still makes the attack substantially more difficult.