I think I understand the situation correctly, but please correct me if I'm wrong. You're essentially asking "How does realBank.com stop fakeBank.com from sending requests on behalf of the user to realBank.com"?
The malicious site could go about a few ways of potentially using functionality based on what protections the real bank's site is using. If it's not protected against CSRF & JWTs aren't in use, it could send a request on behalf of the user.
If the bank's site allows framing, a clickjacking attack could occur.
---
From your further comments though, it also sounds like you may be talking about phishing. There are several PoCs and real-world examples of attackers hosting a fake login page for Microsoft/Apple/Facebook and interacting in real-time with the real site. This allows them to also prompt the user for an MFA code which they'll use to authenticate.
If it's this phishing scenario, there's not a big way to block these for completely public-facing sites. Anything behind a VPN / whitelist would be impossible though (ofc).
The thing is that I claimed to have a solution and I even filed a patent for it. Some time later I understood I need many iterations to even understand if I’m right or wrong. The direction is OK, but I’m still trying to understand if I’m the right person to solve this problem: I am sending a secret via Email (which is a right direction), then to send and receive data to and from “bank.com” I send it to a Frontend JavaScript code that has access to this secret key (user clicks a link in the Email). The JavaScript resides on a subdomain of my service which is whitelisted via CORS.
If anyone would read this, could you please reflect?
The malicious site could go about a few ways of potentially using functionality based on what protections the real bank's site is using. If it's not protected against CSRF & JWTs aren't in use, it could send a request on behalf of the user.
If the bank's site allows framing, a clickjacking attack could occur.
---
From your further comments though, it also sounds like you may be talking about phishing. There are several PoCs and real-world examples of attackers hosting a fake login page for Microsoft/Apple/Facebook and interacting in real-time with the real site. This allows them to also prompt the user for an MFA code which they'll use to authenticate.
If it's this phishing scenario, there's not a big way to block these for completely public-facing sites. Anything behind a VPN / whitelist would be impossible though (ofc).