On the security and privacy of Interac e-Transfers
It addresses critical payment security issues for Canadian consumers, representing the first analysis of this system but is incremental in exposing known notification risks.
This paper tackles the security and privacy vulnerabilities in Interac e-Transfers, revealing that notifications via email and SMS expose sensitive information, enabling fraudulent redirection attacks in experimental setups.
Nowadays, the Interac e-Transfer is one of the most important remote payment methods for Canadian consumers. To the best of our knowledge, this paper is the very first to examine the privacy and security of Interac e-Transfers. Experimental results show that the notifications sent to customers via email and SMS contain sensitive private information that can potentially be observed by third parties. Anyone with illegitimate intent can use this information to carry out attacks, including the fraudulent redirection of Standard e-Transfers. Such an attack is shown to be possible at least in an experimental setup but likely also in reality. Recent news articles support this finding. Improvements to overcome these interconnected privacy and security problems are proposed and discussed.