It appears Traderoute is attempting to employ some sort of anti-phishing protection by displaying user-specific "greeting images" but this makes absolutely 0 sense because the only thing you need to find out a user's greeting image is their username(which is displayed publicly for vendors).
Here, I'm retrieving the "greeting image" for vendor "Sunny987"(they're the top vendor according to the traderoute sidebar, nothing personal): image
Sure, it can be argued that the watermarked captcha on the initial form will deter basic phishing, but this doesn't prevent anyone from scraping popular vendors and going through them by hand.
I don't know if I'm missing the point here or what.
Ideally, you'd enter your login + password on the same page, then -- assuming you entered them correctly -- the personal image would be displayed along with the PGP decryption page (for 2-factor logins anyway). That would prevent what you brought up.
Although I don't know what benefit there is to gathering random vendors' personal images.