feat(techniques): add SAFE-T2104 Fraudulent Transactions#133
feat(techniques): add SAFE-T2104 Fraudulent Transactions#133SujitBista wants to merge 1 commit intosafe-agentic-framework:mainfrom
Conversation
- Add comprehensive documentation for fraudulent transaction attacks via MCP payment tools - Include Sigma detection rule with UUID E962C613-F5AD-4F93-A830-D58128A00116 - Add test-logs.json with 17 test cases (11 positive, 6 negative) - Add test_detection_rule.py for validation - Document attack vectors: prompt injection, tool poisoning, cross-tool contamination - Include Mermaid attack flow diagram - Map to MITRE ATT&CK TA0040 (Impact) - Reference related SAFE-MCP techniques (T1001, T1102, T1104, T1106, T1915, T2101) Sources: - Model Context Protocol Specification - OWASP Top 10 for LLM Applications - MITRE ATT&CK Framework - Federal Reserve AI Risk Management Guidance - Academic research on AI agent security vulnerabilities Signed-off-by: Sujit Bista <sujitbistaprogrammer@gmail.com>
bishnubista
left a comment
bishnubista
left a comment
There was a problem hiding this comment.
🤖 SAFE Reviewer - Automated PR Review
Summary
🔴 6 critical issues found |
🔴 Critical Issues
Unreachable URLs (3)
| Line | URL | Status |
|---|---|---|
README.md:121 |
researchgate.net/publication/378456789... |
HTTP 403 - Publication ID may be invalid |
README.md:151 |
federalreserve.gov/supervisionreg/topics/ai-risk-management.htm |
HTTP 404 - Page not found |
README.md:153 |
sec.gov/ |
HTTP 403 - Generic homepage, not specific guidance |
Action Required: Replace with valid URLs or remove citations.
Non-existent Cross-References (3)
| Line | Reference | Issue |
|---|---|---|
README.md:131, 345 |
SAFE-T1915 |
Technique does not exist in repository |
README.md:346 |
SAFE-T2101 |
Technique does not exist in repository |
Action Required: Remove references or create the missing techniques first.
⚠️ Warnings
Mislabeled Mitigation Descriptions (4)
Lines 292, 294, 302, 303 have incomplete markdown link descriptions (text cut off at ](../../mitigations/SAFE). Verify the markdown formatting in the source file.
🧠 Needs Manual/LLM Verification
arXiv Papers (6 references)
arXiv:2312.17041(lines 122, 353) - Verify paper matches claimed topicarXiv:2503.18813(lines 291, 357) - Verify paper matches claimed topicarXiv:2402.12303(lines 332, 354) - Verify paper matches claimed topic
MITRE ATT&CK Mapping (19 references)
- Verify T1498, T1105 applicability to fraudulent transaction attacks
✅ Passed Checks
- Template compliance: 15/15 required sections present
- Sigma rule: Valid YAML, proper UUID, required fields present
- 10 valid SAFE-T/M cross-references verified
Automated review by SAFE Reviewer • TypeScript validation pipeline v1.0
bishnubista
left a comment
bishnubista
left a comment
There was a problem hiding this comment.
🤖 SAFE Reviewer - Inline Comments
Posting detailed inline comments on specific issues found.
|
|
||
| 1. **Transaction Chaining**: Using one compromised tool to trigger payment operations through another tool, obscuring the attack path ([OWASP LLM Top 10, 2024](https://owasp.org/www-project-top-10-for-large-language-model-applications/)) | ||
| 2. **Amount Manipulation**: Subtle modifications to transaction amounts (e.g., adding small percentages) that evade detection thresholds ([Financial Fraud Detection Research, 2024](https://www.researchgate.net/publication/378456789_Financial_Fraud_Detection_Using_AI)) | ||
| 3. **Recipient Substitution**: Manipulating agent context to substitute attacker addresses for legitimate recipients during transaction construction ([Prompt Injection Attacks on LLMs, 2024](https://arxiv.org/abs/2312.17041)) |
There was a problem hiding this comment.
🔴 CRITICAL: Invalid arXiv Reference
arXiv:2312.17041 is actually a nuclear physics paper about "Atomic mass determination of uranium-238", NOT about prompt injection attacks.
Action Required: Replace with correct arXiv ID or remove this reference.
| While not MCP-specific, security researchers documented cases where AI trading bots were manipulated through prompt injection to execute unauthorized trades: | ||
| - Attackers injected trading instructions that appeared as market analysis | ||
| - Bots executed trades based on manipulated context, moving funds to attacker-controlled accounts | ||
| - Incident highlighted the risk of autonomous financial decision-making without proper controls ([AI Security Research, 2024](https://arxiv.org/abs/2402.12303)) |
There was a problem hiding this comment.
🔴 CRITICAL: Invalid arXiv Reference
arXiv:2402.12303 is actually about computer vision multi-object tracking ("UncertaintyTrack"), NOT about trading bot vulnerabilities or AI security.
Action Required: Replace with correct arXiv ID for financial AI/trading bot security research, or remove.
| - [MCP Security Notification: Tool Poisoning Attacks - Invariant Labs](https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks) | ||
|
|
||
| ## MITRE ATT&CK Mapping | ||
| - [T1498 - Endpoint Denial of Service](https://attack.mitre.org/techniques/T1498/) (Conceptually related - financial impact through unauthorized operations) |
There was a problem hiding this comment.
🔴 CRITICAL: Inapplicable MITRE Technique
T1498 (Network Denial of Service) is fundamentally inapplicable to fraudulent transaction attacks.
- T1498 is about: Network bandwidth exhaustion for availability impact
- SAFE-T2104 is about: Financial theft through unauthorized transfers
These are completely different attack types.
Action Required: Remove T1498 or replace with an applicable technique.
| According to research on AI agent security vulnerabilities, attackers have developed sophisticated multi-stage attack patterns: | ||
|
|
||
| 1. **Transaction Chaining**: Using one compromised tool to trigger payment operations through another tool, obscuring the attack path ([OWASP LLM Top 10, 2024](https://owasp.org/www-project-top-10-for-large-language-model-applications/)) | ||
| 2. **Amount Manipulation**: Subtle modifications to transaction amounts (e.g., adding small percentages) that evade detection thresholds ([Financial Fraud Detection Research, 2024](https://www.researchgate.net/publication/378456789_Financial_Fraud_Detection_Using_AI)) |
There was a problem hiding this comment.
🔴 CRITICAL: Broken URL
ResearchGate publication link returns HTTP 403 Forbidden:
https://www.researchgate.net/publication/378456789_Financial_Fraud_Detection_Using_AI
Action Required: Verify URL exists or remove/replace reference.
|
|
||
| ### Current Status (2025) | ||
| According to security researchers and financial industry guidance, organizations are implementing mitigations: | ||
| - Financial institutions are developing AI-specific transaction monitoring systems that analyze agent decision-making patterns ([Federal Reserve AI Risk Management Guidance, 2024](https://www.federalreserve.gov/supervisionreg/topics/ai-risk-management.htm)) |
There was a problem hiding this comment.
🔴 CRITICAL: Broken URL
Federal Reserve link returns HTTP 404 Not Found:
https://www.federalreserve.gov/supervisionreg/topics/ai-risk-management.htm
Action Required: Find correct URL or remove reference.
2 participants
Sources:
Summary
Brief description of what this PR adds/changes.
Type of Contribution
Checklist
git commit -s)Related Issues
Closes #[issue-number] (if applicable)