It's not consecutive characters, it's a random set of three. One time it might ask me for the 1st, 6th, and 8th characters. The next time for the 6th, 7th, and 9th. Passwords are required to be at least 8 characters and contain a mix of letters and numbers.
Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.
This further suggests to me your bank is storing your password in plaintext or reversibly encrypted, which is not secure at all.
The only alternative I can think of is that they'd also create and store a hash of every possible three-letter combination based on your password which does not seem likely.
Fishing attacks are difficult because the attacker would have to be able to determine which bank a card was issued by, and present the correct 3D secure interface specific to that issuer. Many issuers also add a customer-personalised image or message to the interface to further reassure customers of authenticity.