Being in the ITSM industry - I can confirm that this isn't a poor practice all. It's based on the principal of having some identifiable information which is never wholly transmitted together, so if the communication to the banks servers is compromised this still doesn't' compromise the account. Most banks in the UK use this mechanism in addition to a regular password and I, like other posters, have to wrestle with manually looking up this data each time I log in to one of these sites.
Ideally this would be a string which in which character indexes are automatically illustrated (being 0 or 1 based would need to be configurable as I've seen both used), however the the login tip approach which Robform uses is probably the simplest/most flexible mechanism to implement.
I switched from Roboform (which I was very happy with) because they didn't have a Windows Phone application, now they do I'm contemplating switching back because I have to deal with a lot of sites that work in this way, so another +1 for this feature please.