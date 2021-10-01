Lorena Amaro Central Bank informed that data such as passwords and balances were leaked

After the Central Bank (BC) alerted on Thursday about a data leak of Pix keys by the State Bank of Sergipe (Banese), the institution reported that it detected undue queries to 395,009 keys used in the means of payment.

Banese said, however, that the event “did not affect the confidentiality of passwords, transaction history or other financial information of its customers”.

It is Pix’s first data security incident since the instant payments system was created by BC in November 2020.

In a statement released late on Thursday, the government-controlled bank of Sergipe stressed that the leak occurred in keys registered with telephone numbers, of people who are not bank customers, from the access of two bank accounts of customers of the Banese.

The institution also reported that the data was likely obtained through social engineering scams such as phishing.

The bank also informed that it has been working together with the BC in the investigation and communication of the facts, and that it has adopted containment actions and technical measures, such as the revocation of access to the two accounts used and the implementation of security mechanisms to prevent similar cases from recurring to occur.

In a note, the monetary authority confirmed that sensitive data, such as passwords, transaction information and balances were not affected. The leak was only the Pix keys, which do not allow movement of resources or access to accounts.

The Pix key is like an identity of each user in the new payment system and can be either a CPF, an email, a phone number or a random alphanumeric key. The number is used to facilitate transactions.

People who had their data leaked will be notified by the institution through their bank’s application. The BC warned that neither the monetary authority nor other institutions will contact customers through any other means of communication, such as messaging, telephone, SMS or e-mail applications.

According to the note, the BC has already taken actions to investigate the case and will apply sanctions provided for by the regulation of Pix.

“Even though it is not required by current legislation, due to the low potential impact on users, the BC decided to communicate the event to society, in view of the commitment to transparency that governs its activities”, concluded the note.

As a precaution, Banese recommended that customers be suspicious of SMS messages or in apps sent from unknown numbers and never click on links sent from those numbers.

In addition, he urged customers never to give out personal information, codes received via SMS or bank passwords to strangers and beware of fake emails and pages that try to impersonate any financial institution. Finally, use secure passwords that cannot be easily discovered.

More protection

Recently, the Central Bank has determined the implementation of more security measures for the use of Pix. In August, he announced that the system will have a limit of R$1,000 at night to avoid scams and fraud. The measure goes into effect on October 4th.

In addition, banks and other financial institutions will have a minimum period of 24 hours and a maximum of 48 hours to carry out a user request to increase the transaction limit by Pix, bank slip, TEDs and DOCs and debit card. The idea is to prevent the possibility of an immediate increase and reduce risk situations. The reduction of the limit remains immediate.

This week, the BC announced that banks will be able to block users’ resources for up to 72 hours in cases of suspicion and fraud. Institutions will also start marking a Pix key when there is a well-founded suspicion of fraud. This information will be shared with other institutions participating in Pix.