You're right, most people don't pay attention to the certificate warnings and even if they did they wouldn't understand how to determine if it was a legitimate concern or not. I however, do. American Express always has an annoying SSL cert misconfiguration of some sort or other from time to time. I know they have these problems, however, still check them when they occur, however if it had been someone like, say, my mom, I'm sure she wouldn't have a clue.
That's pretty interesting but it still doesn't do anything about any type of keylogging software that might be on the machine. This is one of the reasons I now will never use public computers while traveling or even friend's machines. I always explain to them that it's not that I don't trust them, I just don't trust what they may not know is running on their computer. So, I boot a known quantity (Knoppix Linux) and use that to do any banking. You would be amazed however at the number of ignorant internet cafe owners that are 1) "Confident" they have no viruses/trojans 2) so hard headed and ignorant they won't allow you to boot a live Linux CD (that's the point I walk out of the place and find somewhere else).
Citibank UK (apparently not in the US, just checked their page) has implemented what seems to be, on the surface a good system for keyloggers. However, it is crap. They pop a java "keyboard" applet up, not only every time you enter your password to login, but EVERY time you do any type of transactions in your accounts once you are already logged on. They keyboard they present to you would be very visible to anyone standing over your shoulder and it is time consuming/cumbersome to enter your password. I have argued with them over this extensively that, this in and of itself, exposes you to someone "shoulder surfing" your password. They could do what my friend has told me Banco do Brasil is doing and randomize the keyboard along with making the letters very faint so they are hard to view from afar.
There is another more complex attack that could probably be done against this Citibank UK "virtual keyboard", it wouldn't be hard for someone to map the mouse movements and determine what the password was by taking the letters on the furthest extremes, take a guess the first time, and if that doesn't work simply shift the mapping once or twice (this would depend on how closely grouped the letters in your password were, the further apart, the easier it would be to guess it quickly). Something else which, would likely (I am not sure about this) would be to attach a debugger to the JVM on the machine and simply grab the password through this method, after all, if they have compromised the machine locally they should be able to do this. Randomizing the keyboard would also solve, at least, the mouse movement mapping attack.
As noted, the Citibank UK and US both do things differently for not only their banking sites, but also their credit card sites. The UK banking site uses a completely different login system, the UK credit card uses another, and the US banking/credit card system seem to use a common one. How is that for consistency, even with the same company?! This is a big problem without an easy solution but maybe it could be mitigated by having banks adhere to a standard for online authentication processes rather than such a mixed bag. The sum of what could be agreed upon as secure would hopefully turn out to be much better than any of the half assed systems they're using today and if nothing else would only require "user training" as to what is "bad" and "good" once, most non technical people just can't deal with too much complexity when it comes to things like this and that is why they always click "OK" regardless.
P.S. One thing I would love while travelling would be "revocable one time passwords" for sites like this. You request from a known safe computer, say, 10 one time use passwords/tokens, then take them with you. If they get lost/stolen you can immediately cancel/revoke these so they can't be used. This would at least allow you to use, relatively securely, an "unfriendly" computer in a situation where you have little choice.