alt Hacker NewsUser installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.
But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.