Re: Defeating Citibank Virtual Keyboard protection using screenshot method
> If malware is running on the user's computer, can it change the
> destination of a funds transfer invisibly to the user, and still
have
> the verification work?
Theoretically, this is possible. An advanced client-side MITM attack
could be crafted, altering packets on-the-fly and returning a false
confirmation page.
i.e.:
normal response: "$100 USD has been transferred from your@xxxxxxxxx to
evil@xxxxxxxxxx"
altered response: "$100 USD has been transferred from your@xxxxxxxxx
to your@xxxxxxxxxxxxx"
-John Martinelli
RedLevel.org Security