[alkonaut]

That would require HSBC to value some kind of improved security so much that they'd accept not having the HSBC logo in the email. That's what I think is out of the question.

You could maybe see banks having plaintext communication as an optional, but I doubt they'd make it default (allowing users to switch to html).

Isn't this problem already solved with certificates online? Shouldn't this be solvable the same way? E.g. a bank sends an email containing a link to the content with some special attribute. The web browser displays the content if and only if the sender domain of the email (e.g. hsbc.com) is also the domain from which the content will be downloaded.

[dm319]

Problem is you've already received the rogue html before accessing the secure webpage. It's a shame email signing and encryption never took off.

[alkonaut]

The solution assumed mail clients would be adapted to enforce this. So if you send me a forged email claiming to be from hsbc, the mail client would allow showing html content only from a https connection to somewhere on hsbc. Kind of like the same-origin policy but where the origin is the domain the email claims it came from.

[breakintheweb]

They could still have the HSBC logo, it would just need to be in ascii....