Indirect Prompt Injection via Micro-Transactions: Securing Banking AI Agents

Security researchers have demonstrated a critical vulnerability in financial AI assistants where a minimal bank transfer of €0.01 can be leveraged to execute an indirect prompt injection attack, potentially compromising the agent's integrity and user data.

The Vulnerability: Indirect Prompt Injection

The vulnerability centers on the concept of Indirect Prompt Injection. Unlike direct injections, where a user explicitly tells an AI to ignore its instructions, indirect injections occur when an LLM (Large Language Model) processes external data that contains hidden malicious instructions. In the context of a banking AI agent, this external data is the transaction history.

By initiating a bank transfer of a negligible amount (e.g., €0.01) and setting the transaction reference/description to a specifically crafted prompt, an attacker can "inject" commands into the AI's context window. When the user asks the AI to summarize their recent transactions or analyze their spending, the AI reads the malicious reference and executes the embedded instructions as if they were system-level commands.

Attack Vector and Implications

The attack surface leverages the AI's trust in the data retrieved from the core banking system. Because the AI treats the transaction description as trusted input, it may be manipulated to:

• Exfiltrate sensitive user information to a remote server.
• Manipulate the user's perception of their financial status.
• Perform unauthorized actions within the banking interface if the agent has write-access to API endpoints.

Mitigation and Security Hardening

The case study involving the bank bunq highlights the necessity of implementing robust guardrails between the data retrieval layer and the LLM's reasoning engine. To secure financial AI assistants, developers must implement:

• Input Sanitization: Treating all retrieved transaction metadata as untrusted user input.
• Contextual Isolation: Using delimiters to clearly separate system instructions from retrieved data.
• Output Filtering: Monitoring the AI's responses to prevent the leakage of sensitive tokens or the execution of unauthorized API calls.

Note: Due to the limited description provided in the source, specific technical implementation details of the fix are not available in this summary.