On the security and privacy of Interac e-Transfers

Abstract

Nowadays, the Interac e-Transfer is one of the most important remote payment methods for Canadian consumers. To the best of our knowledge, this paper is the very first to examine the privacy and security of Interac e-Transfers. Experimental results show that the notifications sent to customers via email and SMS contain sensitive private information that can potentially be observed by third parties. Anyone with illegitimate intent can use this information to carry out attacks, including the fraudulent redirection of Standard e-Transfers. Such an attack is shown to be possible at least in an experimental setup but likely also in reality. Recent news articles support this finding. Improvements to overcome these interconnected privacy and security problems are proposed and discussed.