docbert

You got that part right...

The answer is very much "yes and no", depending mainly on you, but also in part on the website.

If you go to your bank website by entering "https://www.bankofamerica.com", and if you don't accept any certificate errors or anything else like that, then you're probably safe. Realistically there's no way that a random hotspot hacker can make your browser believe that's the real BoA with a valid certificate if it's not, and once it's using the real BoA certificate it's basically impossible for them to decrypt your traffic (with a few possible exceptions around recent vulnerabilities - but even then you'd have to be very unlucky, and only if your bank hadn't patched them yet)

However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over httpS then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamercia.com! (You did notice the difference, right?)

The same is true if your bank doesn't use SSL for their main site (hello National Australia Bank of Australia!!) in which case the link on the website to login to Internet Banking could be trivially compromised. Even if you originally went to the SSL site, some links on the site could drop you back to the non-SSL site without you noticing.

There are new features being added to websites/browsers to work around some of these issues (eg, HSTS), but a surprisingly small number of sites are actually implementing them. eg, Bank of America doesn't support HSTS, and NAB doesn't even force SSL on their main site...

You might also be interested in this experiement I did recently - Spoofing public Wifi networks - in the air!