Re: Defeating Citibank Virtual Keyboard protection using screens
> If malware is running on the user's computer, can it change the
> destination of a funds transfer invisibly to the user, and still
have
> the verification work?
Theoretically, this is possible. An advanced client-side MITM attack
could be crafted, altering packets on-the-fly and returning a false
confirmation page.
i.e.:
normal response: "$100 USD has been transferred from your@email.com to
evil@hacker.com"
altered response: "$100 USD has been transferred from your@email.com
to your@recipient.com"
-John Martinelli
RedLevel.org Security
討論串 (同標題文章)
完整討論串 (本文為第 13 之 14 篇):