On 2015-11-02 22:53:03 +0000, Brian wrote: > An attacker must inject a payload into a web page that the user visits. > When the page loads in the user’s browser the attacker’s payload will > be executed. A user would likely have no knowledge of this, irrespective > of whatever browser or user-agent string is being used. > > Without the payload (which the bank's site has delivered) the security > of the browser is not compromised. If a password were to be obtained the > bank is complicit in the action. I expect they would take responsibilty > for this.
If the attack is due to a vulnerability in the user's browser and this browser is blocked by the bank because it is old and no longer maintained (thus may have known, unfixed vulnerabilities), the user would be fully responsible. Actually it is the responsibility of the user to update his software, but bypassing the bank's security mechanisms makes him even more responsible. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
