I read an interesting article on phishing last week over at netcraft which seems to show that it is possible for a phisher to create a SSL session and display the familiar padlock item, without having a valid certificate..... However I've since seen some disagreement about whether the "plain text" SSL method would work in that way, one of them is at rtfm.com .
So it remains to be seen if this is actually a problem. If it is it will be a blow to a lot of the advice handed out by banks on this subject, as it's usually accepted that the best way of telling whether you are at the correct site is to examine the certificate
However, whilst it may be the best way in a browser situation I am not sure it is a good way. It relies on users to understand to a limited extent domain names, so as to realise that a certificate issues to www.mybank.com is NOT the same as one issued to www.my-bank.com which is a pretty hard point to get across to non-technical users.
There are ways however that banks and other institutions can make this kind of attack more difficult to execute. One option is to use a two-stage login procedure and provide feedback after the first page which if the user doesn't see they would know that something was not right.
So for example the bank asks for login name/password. Once the user enters that he gets a screen saying something like "welcome back Mr Jones, the first line of your address is 1 Acacia Avenue" and asks for a second authenticator. ..
