What banks can do and why that would help their customers

Currently, banks have a difficult time educating their customers about what is safe to do and what is not safe to do when attempting to interact with their bank. If banks do some simple things, it could help simplify the message to customers. Here are the policies that banks could use:

1. Use SSL to protect their entire site and deliver all content. EV SSL certificates may be even better. See the following article: http://www.digicert.com/extended-validation-ssl.htm 
2. Use a single domain for all parts of the site that you are asking users to trust or interact with. For example, the login credentials should be on a page that clearly belongs to the bank. (Note: It is possible to do so while working with an external service provider by proper use of SSL certificates.)

Once most banks do that, the message to educate the customer becomes very simple. Here is the message to customers:

1. Customer should ALWAYS check that the URL for their bank starts with HTTPS. Otherwise, assume it is NOT from the bank.
2. Customer should always check the hostname in the URL is the bank's (show pictures to explain this). If it is not, assume the page is NOT from the bank despite the https.

We believe this simple steps can help make a dent in phishing and identity theft, saving banks a lot more money than spent on making the changes to be compliant with the above policies.

The changes should be simple to implement by your service provider and web master, but may require acquiring new certificates. It is all fairly standard technology.