But if it's supposed to be a contraction, then it's I-T-apostrophe-S.
What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?
If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.
The only difference between a car salesman and a computer salesman is that the car salesman knows he's lying.