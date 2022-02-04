The Central Bank (BC) reported this Thursday (3) that there was a new leak of data related to Pix, an instant payments system. The failure involves the financial institution Logbank Soluções em Pagamentos S/A. According to the statement, the leaked information is linked to 2,112 Pix keys and was of a “cadastral nature”. In this case, the leaked information contains the user’s name, CPF, relationship institution and account number.

“Despite the low amount of data involved, the BC always adopts the principle of transparency in this type of occurrence. As in previous cases, no sensitive data was exposed, the ANPD [Autoridade Nacional de Proteção de Dados] has been notified and the affected people will be notified”, says the BC, in a note. CONTINUE AFTER ADVERTISING

This is the third Pix-related data leak in recent months: the first, announced in September 2021, involved Banco de Sergipe and more than 414,000 leaked Pix keys; and more recently, in early January, the institution Acesso Soluções de Pagamento also had data linked to 160 thousand leaked keys.

Incident period Institution involved in the incident Nature of potentially exposed data ​January 24 and 25, 2022 Logbank Payment Solutions S/A (Logbank) ​Registration data linked to 2,112 Pix keys: username, CPF, relationship institution and account number. December 3 to 5, 2021 (reported in January) Access Soluções de Pagamento SA (Access) Registration data linked to 160,147 Pix keys: user name, CPF, relationship institution, branch and account number. August 24, 2021 (reported in September) Bank of the State of Sergipe SA (Banese) Registration data linked to 414,526 Pix keys: user name, CPF, relationship institution, branch and account number. Information linked to Pix keys for security purposes.

Impacts for users

The sequence of leaks tarnishes the credibility of Pix, joined by 117.7 million users who registered 382 million keys. The system already exceeds 1.46 billion in transactions made since it went into operation in November 2020.

“Leaks are becoming more and more common and worrying, but generally, as happened in this case, the fault is directly with the financial institution. There is no problem with BC or Pix systems. Due to an error in the institution, in its app or website, the leak occurred.”, says Marcelo Martins, founder of Pay Ventures, and who is part of the Pix work group at BC.

Download a free spreadsheet that compares the profitability of your fixed income assets:[/newsletter-signup]

“The company notifies clients and the BC informs all institutions participating in Pix. If any of their customers are involved, they will also be notified by them. That is, the incident happened at company A, but company B, if there is a customer involved, also needs to inform him”, he adds.

CONTINUE AFTER ADVERTISING

Compared to the two recent cases, this leak is of minor magnitude, but users need to be aware anyway.

It is worth remembering that Pix keys work as a user identification within the system, which allows the user to only receive values.

“This means that even in possession of this information, it is not possible to access the balance or account entries or make payments or transfers”, says the BC.

The big concern is with the so-called social engineering. “The leak can be used to apply scams, such as, for example, the scammer trying to persuade the victim that he is a bank employee to try to obtain the user’s password credentials”, completes the BC.

Recently, Pix served as a tool for criminals to steal R$ 6 million from the small town of Crixás, in the north of Goiás. Criminals used the victims’ ignorance and trust to apply financial scams with a system that transfers the money immediately.

“It’s a security hole that exposes user data, and there’s no immediate risk. However, with data like this in hand, criminals can try to apply social engineering scams, they can send an email to the victim asking to change the account password, for example, because the leak happened. And the person falls. This is the risk: it opens the way for several attempts at other scams”, evaluates Rogerio Melfi, representative of ABFintechs.

How to protect yourself?

redouble attention in the institution’s official communications;

do not click on any type of suspicious link that is not directly linked to the bank’s channels;

ignore any suspicious phone calls or emails and look for the bank’s official channels;

Therefore, the BC explains that customers affected by the leak will be notified by the financial institution “exclusively through the application”.

And it warns: “neither the BC nor the participating institutions will use any other means of communication to affected users, such as messaging apps, phone calls, SMS or e-mail”, the agency explained in a note.

CONTINUE AFTER ADVERTISING

All institutions that operate and offer Pix to customers are supervised by the Central Bank and must follow specific rules. To avoid problems, the tip is: register random keys that have as little personal information as possible.

Other side

THE InfoMoney contacted the Central Bank to find out how inspections are being carried out on systems involving Pix. In a note, the BC stated that it has “mechanisms to prevent read attacks, based on limiting unsettled or invalid queries, and limiting requests to the DICT system (which is the platform that stores Pix key information) .”

In addition, he explained that he monitors consultations with Pix keys and carries out a series of actions to verify the adherence of participants to the Pix Regulation.

Logbank was also contacted, confirmed the incident on its digital platforms on January 24 and 25, 2022.

“The incident was instantly detected and controlled by security tools and teams. No sensitive data was leaked and there was no undue financial movement or financial loss to customers related to this incident, the scope of which remained extremely limited,” the company said in a statement.

The company argues that client resources are under maximum surveillance and security, and that it maintains a routine of communication with the BC and competent authorities, in order to strengthen protection mechanisms.

register at Impulse and receive a weekly summary of the news that moves your pocket — in an easy-to-understand way:

Related