Major Swedish bank SEB serves their public site HTTP, with no HTTPS version available. The front page http://www.seb.se has a big Login button that then takes the user to the secure HTTPS part of their site, where the user then logs in. I hope to be able to explain why this is bad for users because it gives Attackers more opportunity. I hope to convince SEB to acknowledge this and stop serving their public site over HTTP, going HTTPS only. I started noticing this problem a few years back, contacted them a year ago or so for deaf ears, contacted them again recently and kindly got a person listening to me but I failed to get an acknowledgement of any sort. I proposed that I write something up instead.
Victim normally logs onto internet bank by typing www.seb.se into URL bar in web browser, either typing it out fully or just part of it and selecting the auto-completed URL. Alternatively, Victim has put a bookmark on http://www.seb.se, and clicks that bookmark to come to the front