Another funny observation I had was about ING’s anti-phishing security mechanisms and usability. They make you use an annoying, long numeric ID as your login ID (you can’t change it to an easily-rememberable one) which you can’t likely remember so you have to write it down or use Password Safe to recall it. By making account IDs a secret, they are hoping to buy additional security from the obscurity.
However, they recently added a feature on the site (likely because of the usability problems with people not knowing or remembering their login ID) where you can enter some static identifying information (SSN, zip code, birthdate) and they will then pre-populate your customer login ID. I use this often because although you have to type in more information, the usability is better because it is faster to do this than to look up what my login ID is. But, they have now created a great target for phishers that can undo all the benefits of the hidden login ID and the additional measures on the site because this feature is not protected with their RSA/Cyota eStamp as their login dialog is.