> If malware is running on the user's computer, can it change the > destination of a funds transfer invisibly to the user, and still have > the verification work? Theoretically, this is possible. An advanced client-side MITM attack could be crafted, altering packets on-the-fly and returning a false confirmation page. i.e.: normal response: "$100 USD has been transferred from your@email.com to evil@hacker.com" altered response: "$100 USD has been transferred from your@email.com to your@recipient.com" -John Martinelli RedLevel.org Security