There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues.
While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by Amir Herzberg and Ahmad Gbara or Ian Grigg demonstrates how to solve the problem. (Having the browser remember certificates could also help.) For what banks will spend to ship and support these id tokens, they could fix the browsers, and require upgrades, like they used to for 40-bit SSL.
If you’re going to use a token, its worth considering something like the WikID ones, which are mobile-phone based.
Oh, wait, I’m repeating myself. Dang.