> If malware is running on the user's computer, can it change the > destination of a funds transfer invisibly to the user, and still have > the verification work?
Theoretically, this is possible. An advanced client-side MITM attack could be crafted, altering packets on-the-fly and returning a false confirmation page. i.e.: normal response: "$100 USD has been transferred from [EMAIL PROTECTED] to [EMAIL PROTECTED]" altered response: "$100 USD has been transferred from [EMAIL PROTECTED] to [EMAIL PROTECTED]" -John Martinelli RedLevel.org Security
