<<< Date Index >>>     <<< Thread Index >>>

Re: Defeating Citibank Virtual Keyboard protection using screenshot method



> If malware is running on the user's computer, can it change the
> destination of a funds transfer invisibly to the user, and still 
have
> the verification work?

Theoretically, this is possible. An advanced client-side MITM attack 
could be crafted, altering packets on-the-fly and returning a false 
confirmation page.

i.e.: 

normal response: "$100 USD has been transferred from your@xxxxxxxxx to 
evil@xxxxxxxxxx"
altered response: "$100 USD has been transferred from your@xxxxxxxxx 
to your@xxxxxxxxxxxxx"

-John Martinelli
RedLevel.org Security