This is so simple to prevent, it's just a matter of prompting. The fact that the bank didn't proactively secure against this makes me glad that I'm not one of their customers.

▲

jorisw 4 days ago | parent [-]

Would it be simple to explain as well? I'm interested

▲

bilekas 4 days ago | parent [-]

I am not OP, but completely isolating the AI from any actions other than what's expected would be a start. IE a specific API only for the AI, in which there is not even any access for the prompt injection to even make sense. But just an idea from an onlooker.

▲

tvissers 4 days ago | parent | next [-]

I can recommend having a look at secure design patterns for LLM agents. Simon Willison has a great post on this: https://simonwillison.net/2025/Jun/13/prompt-injection-desig...

▲

addandsubtract 4 days ago | parent | prev [-]

Now that you mention it, why don't we encrypt injectable data that comes from users and only decrypt it on the client?

	▲	OutOfHere 4 days ago \| parent \| next [-]
		The issue is that certain questions may genuinely require the LLM to have the raw descriptions. For example, "List my grocery store transactions".
	▲	repelsteeltje 4 days ago \| parent \| prev [-]
		You mean, use encryption (+base64 or something) as a "poor man's" string-escape? Interesting idea!