This is what’s called a “man-in-the-middle” attack.[696] Once the hacker made Sarah communicate over unencrypted HTTPS, he could sit in the middle of Sarah and Bank of America and “hear” everything they were saying to each other. By getting Sarah’s unencrypted password, the hacker could log into Sarah’s account himself and, say, send funds to his account!
