Citibank are the target of this particular attack. The phishing site asks Citibank customers for a user name and password, as well as the token-generated key. But the site is a MITM: it uses the customers details and the key to log in to the real Citibusiness site.
Authentication is a critical element in digital identity infrastructure, but it needs to work end-to-end. PKI is one way of doing this (see, for example, the newly-rebranded IdenTrust). I hate to harp on about smart cards, but if your private key never leaves your smart card (or smart thingy of some description), then the messages from the bank can be encrypted and signed all the way to that smart card. A MITM can’t use them.
An interesting example of this architecture is the use of Bluetooth smart card readers to provide authentication to other personal devices. This is now being used by the DoD to provide authentication for Crackberrys using CAC cards. We looked at this solution for a client back in 2003 (not for CAC cards but for a commercial solution), but at that time the readers were too expensive for the particular application: so either the costs have come down or the DoD is less price-sensitive than our client was!
The 2004 paper, which provides a useful introduction to EMV-based token authentication, is here…