Err, yes that works, wait...no, but it could..
Previous poster correct. One password or even ten won't do anything to stop man in the middle attacks. Even the silly feedback "verification image" banks are using doesn't help.
Https was designed to solve middle-man attacks, but relies on
1. user consistently confirming the domain name (bank.com <> my-bank.com)
2. user checks the pad-lock
3. the browser isn't subverted into displaying the above (perhaps a mock up of a browser window showing 1 and 2 inside of the real browser window).
4. the computer hasn't been compromised by a trojan.
However there is hope!
Both parties can exchange keys out of band (ie by using this number spewing card) and a symmetric encryption algorithm could in principal be used to leave all middle-people in the dark.
Actually this could be a sound encryption approach (requiring a browser upgrade). Unfortunately security would still be compromised by a trojan or user could still be tricked into typing the card's dynamic number at a sneaky web site. So this doesn't provide much more security than a careful user banking via https.
Aside to banks: Quit all this login non-sense that doesn't help protect users at all. I already need passwords pins and keys and now I have to actually drag my mouse pointer across the screen to type on a "virtual keyboard"?!? It's very noble of you to try to defeat the keyloggers. However a compromised machine is inherently insecure no matter what. Consider that attackers can also run a mouse logger, or hijack an existing session, or even just record screen shots.