Autonomous Shopping Agents Bring Innovation — and New Security Risks

Goodbye ecommerce, hello AI-commerce. As Google, Visa, and Mastercard unveil AI agents for internet shopping, it is only a matter of time until empowered agents routinely browse, select, and buy goods online without step-by-step human intervention.

Once the customer sets the rules for how and when payments occur, verified agents can take over using tokenized technology. Done properly, these payments have the potential to unlock adoption of and trust in agent-based — so-called ‘agentic’ — systems by individuals and enterprises.

Though they don’t always get the credit, payments companies have a track record of innovation that reaches deep into the global economy. In many markets, consumers now take for granted that they don’t need to carry cash or even cards — they just tap a phone or smartwatch to pay. 

Even by those standards, handing over autonomy to an agent will involve a leap of faith, and some serious assurances about security. All aspects of payments are attractive to threat actors; aside from the potential to steal funds, poorly secured systems offer opportunities to access payments data and related personally identifiable information that can be held to ransom.

The consequences of a breach can be very costly. The recent, highly-publicized, attack on Coinbase — a low-tech breach allegedly involving payments to support agents for inside information — will cost up to $400 million to remediate, even though the company insists no customer funds were stolen. 

Now imagine the damage that could be done by an attack on an agentic payments system that operates under the banner of a household name brand. As well as financial cost and reputation damage, a breach would represent a major setback for the nascent agent-based technology.

The challenge of securing agentic systems is complicated by the very nature of agents. Put simply, an agent consists of three layers: a purpose; a ‘brain’, which is the underlying AI model(s); and permitted access to tools and data sources. 

The agent carries out its purpose by sending queries to its brain and taking action to access the appropriate tools and data. The interactions between the layers open up entirely new attack surfaces so agents require protection at both the ‘thought’ stage, where they are thinking about what to do, and the ‘action’ stage, where they are interacting with tools to fulfill their purpose.

Giving an agent permission to carry out payments, even where information is encrypted or tokenized, raises the stakes considerably. There are several possible angles of attack to consider, including model man-in-the-middle (MITM) attacks and prompt injection attacks. 

A model MITM attack could occur at the agent thought stage, where a malicious actor inserts themselves between the legitimate parties in the transaction to alter or intercept data. With prompt injection attacks, meanwhile, the actual intent can be changed at the model interpretation stage, using malicious prompts to force the model to behave in unintended ways. 

In the broader sense, there are multiple potential attack vectors arising from the advent of agent payments. As agentic commerce gains ground, free or open-source payment agents may emerge, some of which will have deliberately been created for malicious activity. 

These could perform their advertised task, such as buying the latest sneakers on their release date, while simultaneously siphoning off payment information for other uses. Like age-old payment scams, these agents may be branded to look like legitimate and secure products. 

In addition, open-source agents that were built with good intent may be compromised by internal threat actors through actions such a malicious merge request or pull request in an open-source code base. Meanwhile, unsafe hosting of the model that powers the agent to think and act could lead to model traffic being intercepted and data being stolen.  

Beyond malicious attacks, there is the potential for errors. Models are often bad at handling math problems, so calculations could lead to under- or over-charging. A tool that interacts with a website to make payment may timeout and try again, leading to an accidental double payment.

These are all realistic security issues that may emerge, both for the first generation of payment agents and the ones that will inevitably follow. Understanding the agent threat is the first step to dealing with it; the best way to effectively scale up defenses is to properly understand the type and complexity of potential attacks and employ appropriate measures.

To build a security perimeter around agents accessing financial data, companies should ensure they employ models that rank highly on publicly-available safety scoreboards and are resilient to simulated attacks. This means putting agentic AI security in place, using security agents to red team their systems with simulated ‘agentic warfare’ attacks both pre- and post-production. 

This is not ‘one-and-done,’ however. Ongoing monitoring is a critical factor in maintaining a hard-won security posture. Businesses that take their own security and the security of their customers seriously must be prepared to continuously scan content at the thought and action stages of model interactions, particularly in such a sensitive area as payments. 

Finally, security leaders should ensure payments agents have layered authentication so requests originate from trusted sources. Installing both transaction limits and explainability frameworks, including provenance tracking to trace the origin of a decision back through the model’s logic, will assure greater accountability.

These actions will help to build all-important trust in AI-commerce and unlock the uptake and benefits of agentic solutions for shopping.