Another solution could be to add an extra digit representing the type of information you are signing.
Say,
1 for login,
2 for an account number, and
3 for an amount.
Then, making sure that the personal token tells the user what kind of information he is signing (flashing 'login', for instance), you could avoid most phishing attacks like you described (unless, of course, if the phisher has access to an account that you've already signed, which seems rather difficult to get)
Slashdot Mirror
Another solution could be to add an extra digit representing the type of information you are signing.
Say,
1 for login,
2 for an account number, and
3 for an amount.
Then, making sure that the personal token tells the user what kind of information he is signing (flashing 'login', for instance), you could avoid most phishing attacks like you described (unless, of course, if the phisher has access to an account that you've already signed, which seems rather difficult to get)