Unfortunately it gets "complicater and complicater" on the other end too. Recently, my legitimate Bank of America accounts site with "double" security (password and personalized picture) started displaying a message from iCab that its certificate cannot be verified. When I ignore the message and get it, I see all my transactions in order, which would not have happened in a phisher site unless the bank's site was totally hacked. And no suspicious activity. So, how come such "secure" sites allow this message? Why are the banks so reckless? Beats me.
The phisher site doesn't need to hack the bank's site. Just by way of example...
Suppose the phisher sets up a site at https://
www.bankamerica.com. (Notice that the real site is at bank
ofamerica.) Somehow, they entice you to go there. Or more interestingly, they subvert DNS so that the correct url resolves to the phisher's site instead of the bank's.
Now they do a classic man-in-the-middle attack. You have a secure (https) connection to the phisher, the phisher has a secure connection to the bank. Everything you say to the phisher, the phisher says to the real bankofamerica. Every answer coming back from bankofamerica is relayed by the phisher back to you.
That includes the login process. You type your password, the phisher makes a note of it, and sends it on to the bank. The bank sees the correct password and figures you're just logging in from a different computer today. It has no reason to believe the phisher isn't you.
You ask to see your account data, so the phisher asks to see your account data. The bank sends it all to the phisher, the phisher sends it all to you. You're seeing what you expect to see (except for some pesky little warning message that you choose to ignore), the bank sees what it expects to see (your valid password), and the phisher sees it all.
You log out, the phisher logs out (so it can show you the correct logout screen), then immediately logs back in and cleans you out.
I've glossed over a few details, chief of which is that bankofamerica won't show that picture to any other computer than the one you were using when you picked the picture. When the phisher logs in from a different computer, it doesn't get that picture and cannot pass it along to you.
And if you requested the correct URL but somehow landed on a bogus site, you
will get a message about the certificate being wrong. That's the whole point of certificates. But if they tricked you into going to the wrong site and somehow got their own certificate at that site, there will be no such warning. That's what bankofamerica's login picture is all about, to close that loophole.
But the principle remains. Don't ignore that error message. Don't ignore a missing picture. Just because you see your accounts and your transactions doesn't mean you're really talking (directly) to your bank.
