Yes, that type of security image is vulnerable to man-in-the-middle attacks but that is not what was proposed.

The parent poster suggested that all system messages have the security message. The user is not prompted for some sort of id first, they're already using the computer and are presumed to be logged in.

This is the right way to use security images, IMO, although they're still not perfect as others in the thread have pointed out. The way you describe, which I believe BoA uses (just hearsay), is bad security.

The mitigation for that is asking you for a security question before showing you the login image and asking for password.

Can you explain how that fixes the problem? I'm not sure I understand.

It doesn't -- at all -- the obvious workaround is to extend the middleman game a little longer and pass the user's answer to the site.

It does in that if the real site properly stores a cookie that records that you've logged in from there before, the number of times that the user is asked for such questions goes down, increasing suspicion when the user actually IS asked for them.

Security is never about 100% guarantees. It's about reducing the exploitability and impact of weaknesses.

It mitigates a little. It should make you a little suspicious if the site suddenly starts complaining that you're accessing it from an unrecognized computer if you really haven't. I'd close the tab in that case.

It doesn't. The entire idea is seemingly cheap and ridiculous. Digital security is going to change dramatically in the near future.