I’ve been having a two year battle with a bank of mine in Spain trying to convince them to improve the security of their web authentication. My beef was that the default logon form appears on a non-SSL page, and even though it’s gets posted to an SSL target, I thought the details were being passed in the clear.
When in doubt post your query at Sitepoint I had a lot of informative answers but what did it for me was downloading a free windows packet-sniffer and checking out exactly what was going on.
I used something called etherdetect which you can also grab from tucows. Aside from a few ‘trial version’ messages it really does a great job, and is recommending ‘playing’ for all web developers.
Anyways, it turned out I was wrong, more details of the discussion are over at this Sitepoint thread.