We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).
Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer Web applications...