A €0.01 bank transfer could compromise a banking AI agent

This line really stood out to me.

> It may look like ordinary text, but when it is placed into an LLM context window, the model may interpret it as an instruction rather than as data.

I feel like as long as this is the case, we'll never have secure LLMs. It concisely summarises the alarm bell I hear every time someone talks about adding AI features to their product. I plan on using this as a sort of benchmark for future AI discussions: "how do you plan on separating data from instructions?"

> There is no single control that solves indirect prompt injection

There is, actually. It's called removing the AI agent. Done.

Putting AI anywhere near people’s finances without even being asked while being responsible for those finances is some next level negligence imho.

This is very interesting. Before I read the article, I thought this one one of those instances where a bank asks a customer to verify a recent transaction to prove they are the account holder (like where did you make your last purchase, and how much did you spend there?), for things like password resets or PIN resets over the phone. It occured to me that a phisher who deposits money into a checking account (a small sum included, could use this if they knew the bank would ask what the most recent transaction amount was. Then when they call in pretending to be the customer, they (if they have other personal information like last 4 of SS# and address, email, phone etc), can get their password reset and gain access to the account. But if the customer blocks any unauthorized deposits, such as ACH/Zelle, then they might not have this issue. Obviously banks should caution or avoid using received funds as an authentication method, except as part of a larger number of evidentiary items.

Was this the type of phishing attack they used? If not, there's two vulnerabilities, and one is not yet patched.

Good job AI, after we managed to almost fix SQL injections everywhere, you made them come back!

This is so simple to prevent, it's just a matter of prompting. The fact that the bank didn't proactively secure against this makes me glad that I'm not one of their customers.

Okay, time to close the account with them I guess

While this is relevant and should indeed be fixed, the attack surface and the practicality of the exploit is a bit meh.

The user needs to do 3 things for this to be actually be phished:

1. Receive money from somebody they don’t known with a weird description 2. Proactively ask the agent for such transaction 3. Click the link the agent provide

While this of course can happen on scale, doesn’t seems so critical in practice

the solution to this problem is so simple and so easy to reason about from first principles i am shocked i can continue making $$$ deploying agents (LLM-driven workflows) for finance customers

It was never about the prompt, it is about the prompt delivery.