> If malware is running on the user's computer, can it change the > destination of a funds transfer invisibly to the user, and still have > the verification work? Theoretically, this is possible. An advanced client-side MITM attack could be crafted, altering packets on-the-fly and returning a false confirmation page. i.e.: normal response: "$100 USD has been transferred from your@xxxxxxxxx to evil@xxxxxxxxxx" altered response: "$100 USD has been transferred from your@xxxxxxxxx to your@xxxxxxxxxxxxx" -John Martinelli RedLevel.org Security
