In Payments

Note: This article was originally published on the website of Entersekt, a leading provider of mobile-based authentication and app security software to protect online and mobile banking and transactions. You can find out more about Entersekt’s innovative solutions at its website.

Since its launch on November 16th, 2020, Brazilians are getting acquainted with Pix, the Brazilian Central Bank’s long-anticipated instant payment system. Pix allows users to make instant money transfers 24 hours a day, seven days a week via mobile phones, for free. To enroll, end users (both consumers and merchants) must sign up with one of the 734 registered institutions [1], among them banks, fintechs, financial cooperatives, retailers and others.

In addition to instant P2P transfers, users can make purchases at merchants via QR code (merchants receive funds instantly), and additional QR code functionalities are in the Pix roadmap, including QR code-based withdrawals at retailers.

What Are Chaves?

The Central Bank defines chaves (or “keys” in English) as nicknames to identify a user’s bank account and facilitate a transfer. These could be a user’s phone number, email address, taxpayer ID number, or a random system-generated number. [2] Chaves negate the need to input a recipient’s full bank account number, ID number, and branch number, being the mechanism that makes Pix so seamless and easy to use.

How Is Pix Performing So Far?

Pix adoption has been instant and impressive. As of December 30th, more than 133 million chaves and 55+ million users were registered in the system. More than 171 million transactions have been completed since the launch, summing BRL 149 (USD 28.5) billion, demonstrating Brazilians’ eagerness to test the new system. So far, the vast majority of transactions have been P2P payments using chaves. QR code-based merchant payments are a small piece of the pie so far but are being heavily promoted by influential merchants like Uber and banks and fintechs including Santander, Nubank and PicPay.


How Is Pix Secured?

Under the auspices of the Brazilian Central Bank (BC), Pix follows the same infrastructure and security protocol of the Brazilian national financial system and other electronic transactions (TED/DOCs [3]). The BC has established a security manual for Pix, which defines the minimum requirements participating institutions must follow. Briefly, this manual states:

  1. Institutions are responsible for validating and authenticating the identity of all registered users and chaves
  2. All data sent between Pix participating institutions must be encrypted
  3. All messages sent from paying institutions and the Central Bank must bear the corresponding institution’s digital signature

Despite these security measures, Pix is a brand-new platform, making it attractive to fraudsters. As reported by Ivo Mosca, the leader of BC’s Pix security working group, there is already evidence of fraudsters engaging in phishing schemes to capture user data, set up fraudulent chaves, and trick users into sending funds to fake accounts.

Implications of Pix’s Inherent Vulnerabilities

Mosca and other local fraud experts explain some of Pix’s inherent vulnerabilities and their implications:

1. Varying levels of identity validation and authentication capabilities

There is a weak link, particularly in institutions’ability to authenticate users’ identities when they register with Pix. Large financial institutions are safe; they have robust platforms to prevent fraud, including risk engines to cross-check clients’ identities, with technologies like facial recognition and advanced analytics. Banco Itaú can even monitor a user’s typing speed and the position a user holds its mobile phone to authenticate users.

But this is true only in a minority of cases. Players who are new to the national payment system do not have this expertise and in many cases, institutions are struggling to meet the minimum-security requirements of Pix for identity validation and authentication. This opens the door to myriad opportunities for fraudulent activity.

2. Fraudsters taking advantage of under-digitized users

The process established to register a chave is fully digital, and there is still a large portion of the Brazilian population unaccustomed to transacting online. This opens the door to phishing, allowing fraudsters to capture naive consumers’ data via fake websites and emails, and use it to create fraudulent chaves and steal funds.

This is exactly the same phishing risk that exists in the process of opening a digital account offered by neobanks and even traditional banks via their apps. For Marcelo Martins, Associação Brasileira de Fintechs (ABFintechs) executive director, this is endemic to the whole financial system, and is not an exclusive risk of Pix.

3. Manipulation of Chaves

Once a fraudster successfully registers someone’s chave (such as a telephone number or email address) to an illegitimate bank account, the true owner of that information must open a claims process to recover that chave and prove that they are the legitimate owner. The reverse can also happen: a fraudster can open a fake claim in an attempt to recover someone’s legitimate chave, or can wrongly attempt to transfer a chave from one account to another.

4. Misuse of QR Codes

Merchants must take special care when displaying a QR code sign at their register, since fraudsters can steal and replace these with fraudulent QR codes, which send funds to the fraudster’s account. Dynamic QR codes[4] can also be modified by thieves trying to game the system.

What Are the Central Bank and Participating Entities Doing to Respond?

Pix has several mitigation strategies built into the system, which help anticipate and reduce these threats. The BC and participating entities are also responding to the new challenges.

  • As per Pix rules, institutions must have a cross-validation process for chaves. This means that when an individual registers a phone number or email address, a confirmation message is sent to such phone or e-mail to guarantee the veracity of information. The same is valid for chave transfers and recovery. However, the challenge for cross-validation lies in system-generated random numbers and ID numbers used as chaves, since these cannot be validated via text message. The BC and its partners are working on defining a specific protocol to address this challenge.
  • Pix transactions have reduced transaction limits in non-business hours. This is to help avoid kidnappings and ransoms, which involve large transaction amounts and typically take place at night.
  • Pix transactions take around 10 seconds to be completed, but if any red flag is raised by the paying institution, it is allowed to hold the transaction for up to 60 minutes to validate it. BC is working to include such hold times for the receiving institution as well.
  • Institutions are working together to guarantee rapid take down of fake websites to eliminate phishing. The BC is getting involved to support in cases in which the website’s legal domain is not in Brazil, where local institutions may have little authority.
  • The Pix security working group recently selected Quod, one of the largest providers of data intelligence in Brazil, to build a unified risk database, in which participating institutions will report fraud incidents. This will allow all entities to have full visibility of existing fraud and improve prevention within the system.

Despite these risks, local experts believe that Pix is as safe as any electronic payment system. As stated by Marcelo Martins: “In my opinion, Pix is more secure than TED, since users have the chance to confirm all the beneficiary’s information before approving the transaction. When doing a TED, the sender inputs the beneficiary’s bank details and completes the transfer directly. This causes frequent mistakes and problems.”

Off to a Good Start, But More Is Needed

To make Pix as secure as possible, participating entities must have their own robust security systems. Institutions new to the world of digital payments should not try to do this alone but rather seek partnerships to develop the needed capabilities: ID validation, user and transaction authentication, and decision engines to detect fraudulent transactions. As mentioned by Mosca, “This is where companies providing security solutions have a large opportunity, since new players need the support of experts to build and improve their systems.”

Participating institutions’ digital security will also improve over time. Martins stated that up until now, institutions have prioritized successful integration with Pix. Now that the system is operational, the focus will be to bolster security and efficiency.

Despite the initial vulnerabilities in Pix, Brazilians have demonstrated their willingness to adopt this new system. For most, the benefits outweigh the risk. Pix has enormous potential to support digital financial inclusion, reduce the use of cash, and eliminate abusive money transfer fees, and as such, we expect volumes to grow throughout 2021.

First and foremost, however, it must be secure and trusted, or all else will be laid to waste. Critical and ongoing investments in security infrastructure are paramount to its success.


NOTES

[1] In this article, the term institutions refers to banks, fintech companies, lending companies, cooperatives, retailers, and other companies that have registered with Pix to offer the platform to its customers. In total, more than 900 institutions have applied to integrate with Pix; 734 have been approved and are operational. They are divided into direct and indirect participants. Direct participants are connected to SPI (the formal name of the Pix system) and have an instant payment account (“PI”) with the Central Bank, and therefore settle and clear PIX transactions directly. Indirect participants do not have a PI account, so they rely on a direct participant to liquidate Pix transactions, but they are responsible for offering the service and monitoring the transactional accounts of its clients. 

[2] Only one chave can be registered per bank account, and each individual is allowed to register up to five chaves, while companies can register up to 20.

[3] Commonly used electronic money transfer instruments. Before Pix, TEDs and DOCs were how Brazilians sent money to each other, and both are expected to rapidly decline thanks to Pix.

[4] Dynamic QR codes have a URL/URI containing codes to identify the receiver, such as account holder name and number. If captured by a fraudster, these details can be altered to deviate funds to another account.

Recommended Posts