It's not really BankIDs fault. It was discussed when it was discovered that Allra had misused BankID in this way. The BankID will say who/where is trying to log on, and the hijackers trust that users don't read the BankID login screen.

It's a great service and I can't believe shady things like this is allowed.