What attack is a financial institution seeking to counter by asking its customers to confirm...?

Interesting you ask this question...
Just yesterday I noticed that BofA is no longer doing this. I miss seeing my old picture when I logged in.

Its to prevent spoofing. Lets say you get an email from your bank telling you to login to correct an issue. You click on the link and it looks like your bank's website. So, you put in your username and then your password...but nothing happens. Well, something did happen, a scammer/hacker made something that looked like your bank's login page and now has your login information.

By choosing a picture associated with your account, you can see that the website you are visiting is legit and hasn't been spoofed since that picture is different for every account holder...

that is a security measure to confim you are a person, not a robot

robots

Supposedly protecting the user from fake sites rather than protecting the bank from attackers. If you go to your bank's site and DON"T see your picture, then you're at a fraudulent site trying to trick you into giving up your credentials.

Of course, that only works for people who A) remember what their picture is, and B) are actively thinking about it to look for it. I myself am pretty tech savy and I don't think to look for it when I log into a site that uses them. So I can't imagine many other people are.