Virtually every website should use https:// all the time
Any website taking customer feedback, offering user login, providing customer specific information, or selling online should enforce https:// from the outset, for all website pages. This applies to most companies and organisations, not just banks and payment card accepting website.
It is not sufficient to make the login page itself “secure”, because a previous page (to the one that is secure) can be spoofed (eg by a man in the middle attack) and populated with links that re-direct the customer to a hoax page (which looks like the real site), but is instead populated with links and fields that capture the customers’ data (eg payment card numbers, expiry dates. CVV2s, mother’s maiden names, passport/Id numbers, whatever) for the fraudster.
One of the worst cases of this weakness in Ireland is Aer Lingus. When making a reservation, all the data is in the clear during the pages where one selects the flight, and it is only after that point that https:// is used. This is a total breach of personal privacy as to where one is travelling to/from – aside from the downstream payment card risks it opens up. This would allow a man in the middle to take over the reservation at that point and take personal information, payment card details, email address etc and complete the process in fraud mode. It is simple matter to copy the corporate colours and logos from the real site and use them in a fake platform.
Phonewatch (a supposed “security” company), which as a feedback form for customers and others with text in the clear on their website. It would be a simple matter for a hacker to redirect the individual to another site that looks like phonewatch, and ask them a few additional “security questions” to gather alarm de-activation codes, and codes to show phonewatch that the person is in fact their customer when requesting an alarm to be ignored and the Gardai etc not to be advised of the alarm event.
Similar issues apply to the payment card verification processes adopted by Irish banks (ie to outsource the verification process which involves the collection of personal data to a site), and while it is over a secure connection, the browser security certificate shown is not one issued to the bank in question. Again it is very easy for a hoax site to show a bank’s logo copied from the real website. If one was so minded, one could start selling iPhoes for €99 online - just to collect a mass of payment card details - as well as other security questions - your DoB, ID/passport number, mother's maiden name, etc.