[derefr]

Theoretically, the image could be stored as a blob in your localStorage, encrypted with the server's public key. When you go to the bank's site, a bit of AJAX pops it up to them, they decrypt it server-side, then serve it back to you as an image (all over SSL, please.) The phisher can try to do all the same steps, but without the originator's private key, they'll be left with a useless encrypted blob that can't be turned into a servable image.

[cookiecaper]

Will never happen because it would make it way too hard to access your account on other computers.

[Gigablah]

The way this mechanism works, you're supposed to go through the image personalization step on each computer you access the account with anyway. (And if you use localStorage, that makes it per-browser).