The security is up to the bank. Some banks implement "something you have" security which mitigates the risk.
I have Australian and UK bank accounts. Both require Verified by Visa. The Australian account asks me to enter a single-use number from a battery-powered token. The UK account asks me to enter three randomly-selected digits of my password. The former is obviously immune to phishing attacks. The latter is not completely, but to get the complete password would require several sessions. Neither of them are immune to MITM attacks, but I'm not sure how MITM would help an attacker here: VbV authorises a transaction but doesn't allow you to place one. You can't do anything with the information you have snooped upon because it's single-use (in the first case) or because you don't have enough of the password (in the second case).
I have Australian and UK bank accounts. Both require Verified by Visa. The Australian account asks me to enter a single-use number from a battery-powered token. The UK account asks me to enter three randomly-selected digits of my password. The former is obviously immune to phishing attacks. The latter is not completely, but to get the complete password would require several sessions. Neither of them are immune to MITM attacks, but I'm not sure how MITM would help an attacker here: VbV authorises a transaction but doesn't allow you to place one. You can't do anything with the information you have snooped upon because it's single-use (in the first case) or because you don't have enough of the password (in the second case).