Author: Brian Erdelyi 2015-02-01 13:54:08
Published on: 2015-02-01T13:54:08+00:00
BIP70 is considered a safe method against Man-in-the-Browser (MitB) attacks. However, if a user copies a URL belonging to a different merchant and enters it into their wallet application, they will see the fact that it belongs to a different merchant. Despite this, an attacker can still buy from the same merchant with the user's money by sending them a different URL. This issue can be mitigated by the merchant setting a "memo" to describe the basket and some user info such as the address where the goods are sent. Although BIP70 does a good job at verifying where the payment request came from, it may not be sufficient for transaction verification, especially in the case of a compromised computer. Out-of-band (OOB) verification would be ideal in such cases, but it may require a trusted intermediary or web wallet. Moreover, it is uncertain whether Trezor supports BIP70.
Updated on: 2023-06-09T16:07:54.863295+00:00