I think your guys are into elaborate schemes and totally forgetting low-level tech/social engineering attack.
Remember that most people out there don't understand https, they will just see that little lock and think "I'm secure"... yeah, sure, from 3rd party. But it's so easy to set up a fake site, get some valid credentials from any CA that accepts it for money, and lure people in. Between OpenID, facebook, and heck, the fact that most people reuse the same password, you can harvest a lot of valid accounts on a lot of sites. And then the real fun begins.
