The National Association of Securities Dealers put out the wrong message in warning against Wi-Fi hotspots: They do say, keep software patched, use a firewall, only connect to secure sites for transactions, and a VPN is a good idea. But they suggest that sniffing and evil twins could intercept financial data. That's not correct.
Unless you aren't checking the URL to which you're connecting, there's no known way for an SSL certificate to be forged that would allow an evil twin to show you "https://www.etrade.com/" and have your browser do anything but balk. Likewise, sniffing can't intercept SSL or VPN encrypted data using any techniques currently available. Weak SSL, sure, but no reputable firm has run 40-bit SSL in years. Likewise, a VPN using PPTP with a weak passphrase is a problem, so choose long PPTP passphrases.
Update: Read the comment below. Apparently, there are ways for SSL root authority to be subverted! But it's not dependent on being in a hotspot.