On the security and privacy of Interac e-Transfers

TL;DR

This paper investigates the privacy and security vulnerabilities of Interac e-Transfers, revealing that sensitive information in notifications can be exploited for attacks, and proposes improvements to mitigate these issues.

Contribution

First comprehensive analysis of Interac e-Transfer security and privacy issues, highlighting vulnerabilities and proposing solutions to enhance safety.

Findings

Email and SMS notifications contain sensitive private info.

Potential for attacks like fraudulent redirection demonstrated.

Real-world news supports the identified vulnerabilities.

Abstract

Nowadays, the Interac e-Transfer is one of the most important remote payment methods for Canadian consumers. To the best of our knowledge, this paper is the very first to examine the privacy and security of Interac e-Transfers. Experimental results show that the notifications sent to customers via email and SMS contain sensitive private information that can potentially be observed by third parties. Anyone with illegitimate intent can use this information to carry out attacks, including the fraudulent redirection of Standard e-Transfers. Such an attack is shown to be possible at least in an experimental setup but likely also in reality. Recent news articles support this finding. Improvements to overcome these interconnected privacy and security problems are proposed and discussed.