I also suggest we start using utilities that can foil the mission of the criminals by working well in an infected environment, and be resistant to manipulation; usually by working at close to the operating system kernel level.
Your HIPs suggestion is good, and I also recommend a good password encryption manager, and a keyboard/video scrambler to thwart the spies you will inevitably contract from normal web existence. I have no affiliation with Keyscrambler but it is the only one I've tested that blocks every spy engine scheme that is known. Rapport is gaining a good reputation for providing a good browser "bubble" that is resistant to same, but also blocks several types of attempted browser manipulation; up to and including SSL session riding.
For merchant sites that wish to reduce the kinds of problems that can happen in today's threat environment, it can't hurt to provide a rock solid multi-factor authentication scheme also. One of the most simple and creative of these I've seen in a while is Passwindow, which seems to have a lot going for it - even for mobile devices - and I quite frankly think it has "chip-and-pin" beat, in this arena. Once again I will state that I have no affiliation with any of these companies, and my opinion is simply one of experience and observation.
Keep Up with TechRepublic