[uyzstvqs]

This is so simple to prevent, it's just a matter of prompting. The fact that the bank didn't proactively secure against this makes me glad that I'm not one of their customers.

[jorisw]

Would it be simple to explain as well? I'm interested

[bilekas]

I am not OP, but completely isolating the AI from any actions other than what's expected would be a start. IE a specific API only for the AI, in which there is not even any access for the prompt injection to even make sense. But just an idea from an onlooker.

[tvissers]

I can recommend having a look at secure design patterns for LLM agents. Simon Willison has a great post on this: https://simonwillison.net/2025/Jun/13/prompt-injection-desig...

[addandsubtract]

Now that you mention it, why don't we encrypt injectable data that comes from users and only decrypt it on the client?

[OutOfHere]

The issue is that certain questions may genuinely require the LLM to have the raw descriptions. For example, "List my grocery store transactions".

[repelsteeltje]

You mean, use encryption (+base64 or something) as a "poor man's" string-escape? Interesting idea!