Remember my previous post on this topic. I went back to the postbank site to see if things had improved. Turns out they have not. Here is a screenshot from the page explaining the SecureCode. Its all about the footnote (the last line on this screenshot).
The last line reads:
Caution: When you click on this link you will be lead to a website that has no Postbank address. Check wether the address starts with https://postbank.arcot.com. With that you will have a safe connection to register your Secure code
I will not be repeating my argument that notifying, from a non-http- secured page, to a https page breaks users expectation (why would you trust postbank.arcot.com over of postbank.secure-bank-services.com). Instead, I want to highlight that if you click on the link that displays “https://postbank.arcot.com/” you actually get redirected via a non secured link like http://www.postbank.nl/ing/pp/page/external_link/redirect/0,3042,1859_180483_849292156,00.html?ExternalLinkId=849292156
Again, that is unnecessarily complex and confusing for users.
Controleer of het adres begint met https://postbank.arcot.com Hiermee heeft u een veilige verbinding om uw SecureCode te registreren.
Edit April 8, 2012: Clean-Up HTML code.
Remark April 8, 2012: While this is not common practice with any Dutch bank I know of I have seen this type of practice elsewhere.