[Natanael_L]

> In addition the iframe pops up a memorable message I can configure to verify that it's a frame from the bank. Even in the absence of ssl this would be safe.

No, they can do a replay attack on this setup when not encrypted

[the_mitsuhiko]

It's a transaction bound short lived one time token. Nothing you can replay.

[Natanael_L]

The memorable message isn't.

[the_mitsuhiko]

Sure, but that memorable message is not really all that useful on a non SSL page, but it's also not particularly important from a security point of view.