When you use a browser to connect to a secure site, like your bank, using https*, the data flowing between the computers is encrypted and digitally signed:

1.  it flows through many untrusted parties along the way that are free to make a copy,

2.  it is very hard in real time to change any of the data without it being detected,

3.  it is very hard in real time to decrypt any of the data.

In real time – that’s the rub.  When you connect to a site, after the https is set up**, you usually send in your Username and Password to access your stuff.  Now, there are advanced ways to crack the encrypted data that was captured by those untrusted parties, it just takes time.  So, if you never change your password, it could be discovered.  Changing the data so the change cannot be detected is not as interesting since by the time the changes are in place, many days later, your session is over and so is the attack.  Interesting to note that you can change the data without decrypting the original bits, but that would be detected.

And always when doing sensitive work using a browser, follow the pattern:

1.  Open a new session of the browser (not a NEW tab on an existing browser).

2.  Go to your site, do your work.

3.  Use the ‘sign-out’, ‘sign-off’, ‘log-out’ button on the site.

a.  If the site doesn’t have such a button, they are clueless to the danger.  You will have to clear the ‘cookies’ and / or ‘data’ using the browser functionality.

4.  Close the browser, don’t browse to another site.

*a good browser will give you a signal that you are communicating with the intended party and using https.

**make sure it is and never ever send a password over a clear connection while doing anything important.