[underscore]

The actual report is here: http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf

I wonder what sort of attack they had in mind to exploit the fact that contact information and security advice was on an insecure page? A man in the middle attack is what came to my mind, but it is early, and I may be missing something obvious. I skimmed the paper, but didn't see any specifics.

I'd think BofA were a lot cooler if they gave me the option to upload a PGP key, and then used it to encrypt any emails that they send my way. It'd solve the snooping email server admin problem, and, assuming that they signed their messages and kept their private key safe, would make it a lot easier to spot phishing. I guess there's not enough demand for that, though.