But if it's supposed to be a contraction, then it's I-T-apostrophe-S.
What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?
If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.
If the facts don't fit the theory, change the facts. -- Albert Einstein