Jim was always a good computer user. His laptop was being protected by up-to-date antivirus and anti-spyware programs. His Windows firewall was ON. He only used HTTPS to access sensitive web services.
He opened up his browser and began to check his XXX credit card balance. He typed in the URL of the credit card company and a message appeared: "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. Do you want to proceed?" He clicked the "View Certificate" button on the message window and found most information inside was normal except a paragraph as "This certificate cannot be verified up to a trusted certification authority."
He clicked OK to accept the certificate and then proceeded to check his online credit card account as usual.
After two days, Jim received calls from his credit card company asking about some suspicious transactions with his credit card. Then he found his card was compromised.
What's the matter?
The coffee shop was a well-established one that Jim has visited many times since five years ago. His laptop was clean. Everything seemed fine.
On-the-spot Investigation
We accessed the APs in the coffee shop via wired and wireless connection and found one more hop on the WiFi traceroute, which means there was a MITM AP.
The attacker used a fake SSL certificate that was pushed to Jim, once Jim accepted this fake certificate, the SSL connection between Jim and the MITM AP would be established.