That they don't know what the site key pic is that you have personally chosen from a long list of available ones and that they don't know the tag line you've personally added to the pic. They aren't going to get that easily. They can get your user name and pwd by creating a fake logon page that looks like BA.
I don't see how it's the perfect method, when the hacker doesn't know the image or tag line for the image that you created.
There are shady
That added step alone isn't going to prevent all the possible ways, no. But without it, I could create a hack webpage that looks like the BA sign on page. So, without it, you put in your logon name and pwd. Now the hack site has both. With the image challenge, you put in your name and if you don't see the correct image and tag line, you know something is up. That's what caused Micky to become concerned, he didn't see the challenge image and his tag line. I think it's a good idea, because with other sites, many times the webpage has changed or the web address that shows up in the address bar seems different, leading me to wonder, is this really Amex, etc? or a hack attempt. With BA, once I see my image, I'm confident it's really BA.
The analogy here would be you call someone and before starting your private conversation, the person you called has to tell you the pass phrase that only you and they know to prove that you've really called them and not someone else.