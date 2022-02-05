A security breach in one of the companies that operate Pix, reported by the Central Bank on January 21 of this year, was much bigger than it initially appeared and compromised data from almost 161 thousand customers, from about 300 institutions. When the BC disclosed the leak, the number of 300 institutions affected was not mentioned. At the center of the incident is Acesso Soluções de Pagamento, owned by Méliuz — a company specializing in cashback services (money return).

Criminals broke into the Acesso platform to obtain personal data linked to Pix keys from individuals with accounts at banks, payment institutions and cooperatives, among others. From Access, attackers managed to steal customer data from hundreds of institutions. These banks had until Thursday (3) to communicate the affected customers.

Access can be fined for what the Central Bank classified, at the time, as “one-off failures”. According to BC, Access did not meet Pix’s security requirements, such as the adoption of “mechanisms to prevent read attacks.”

Access is part of a listed group

In May 2021, Méliuz announced an agreement for the purchase of Acesso, in an operation of BRL 324.5 million.

Listed on the Stock Exchange since November 2020, under the code CASH3, Méliuz informed at the time that the operation would allow expanding the financial services offered and developing solutions in digital accounts and payments, among others.

The transaction, however, still depends on approval from the Central Bank, as reported by Méliuz herself in an operational preview released on January 27 this year.

When purchasing Acesso, Méliuz takes one of the company’s arms, Bankly, a “banking as a service” platform. In general terms, Bankly makes available to customers –other institutions, for example- APIs that allow them to offer banking services, including transfers by Pix. In practice, the Bankly customer can become an indirect participant in Pix.

Despite the investments, Méliuz’s quotations in recent months have been melting on the Stock Exchange. At the end of last year, there was a movement of paper sales by the controllers themselves.

After peaking at R$12.33 on July 26, 2021, the company’s common share closed at R$2.82 last Thursday (3).

300 institutions invaded from Access

According to the BC, 160,603 keys belonging to 159,603 individuals were exposed in the leak. A person can have more than one key.

To the UOL, BC confirmed that the security flaw did not only affect Access customers, but also individuals with keys at other institutions that offer Pix. The occurrence involved approximately 40% of the institutions participating in the system, which gives 300 companies.

In practice, a person with an account at one of the five largest Brazilian banks — Bradesco, Itaú, Santander, Banco do Brasil and Caixa — may have had their data leaked, even if they have never had a relationship with Acesso.

All institutions with affected customers had until last Thursday, February 3, to notify them of the leak through the app or internet banking. The deadline was established by the BC.

BC cited ‘sporadic failures’ of Access

On January 21, the Central Bank reported, through a note, the security incident on Pix linked to Acesso, “due to occasional failures in the systems of this payment institution”.

At the time, the BC stated that the leak was linked to registration data linked to the keys: user name, CPF, relationship institution, branch number and account.

In the BC communication, it was not clear that the incident affected clients of other institutions, and not only those of Acesso. In addition, at that time, the BC had not disclosed the number of institutions either.

Questioned by UOL this week, the agency reported that 40% of institutions participating in Pix were affected—the current total is 767 institutions.

In January, the BC also pointed out that the current legislation did not require the communication of the event to society, “because of the low potential for users”. But, according to the BC, “governed by the principle of transparency”, the body decided to communicate what happened.

Neither BC nor Access gave details on how the leak took place. At that time, the company only reported that it had identified “improper queries to data related to Pix keys from the Acesso Soluções de Pagamento platform in the Directory of Transactional Account Identifiers (Dict)”. Consultations took place from December 3 to 5.

Under the responsibility of the BC, Dict is a kind of “heart of Pix”: it stores the data of customers who use the payment system.

Simulation of operations

THE UOL questioned Access, through its press office, about the flaw or vulnerability that allowed the data to be leaked. The company did not comment on this specific point.

Among digital security professionals, the perception is that Acesso presented a vulnerability in the platform that allowed, from simulations of transactions by Pix, to obtain registration data of thousands of people.

A security professional, heard by the UOL, explained that, due to the characteristics of the case, robots and simulations were used in sequence. Coup attempts like this have become commonplace.

The trick consists of entering an application, such as Access, and with the help of robots, simulating sequential operations, of transfer by Pix, without any being actually completed. This is possible if the criminal has a database with thousands of mobile numbers, for example.

In the application, when placing a cell phone number (Pix key) to supposedly make the transfer, the criminal could receive information such as the full name of the holder of that key and the name of the relationship bank, in addition to other registration data.

If this operation is repeated tens of thousands of times with the help of robots, without the institution’s system blocking the simulations, it is possible to set up a database with registration data.

What is the registration information used for?

When the incident came to light in January, both the BC and Acesso stated that sensitive customer data, such as passwords, amounts of financial transactions or account balances, had not been exposed.

“The information obtained is of a cadastral nature only. These data do not allow the movement of resources, access to accounts or any other financial information”, said Acesso in a note.

The problem is that customer registration information is still useful for scammers.

Much of the financial crimes committed today are linked to so-called “social engineering”, in which criminals trick financial institution customers into revealing passwords and other data.

Thus, with full name, telephone, institution name and other registration data, a criminal can contact a bank customer to try to convince him to provide his passwords, for example.

To curb this type of action, the BC reported in January that individuals who had their data leaked in the Access incident would only be notified through the relationship institution’s application or internet banking.

“Neither the BC nor the participating institutions will use any other means of communication to affected users, such as messaging apps, phone calls, SMS or email”, the BC recorded at the time.

Access can be fined

The BC said that the case was investigated and that Acesso could be punished. “As a participant in Pix, the institution is subject to fines for failing to comply with the provisions of the Pix regulation,” the agency said in a statement. The BC did not inform the amount of the fine.

In addition, the BC asked Access to “adopt the measures to comply with the rules provided for in the scope of Pix, to which the institution was not fully adhering.”

Among the rules, according to the BC, were “some requirements foreseen in relation to mechanisms to prevent reading attacks.” The agency also cited “requirements for secure implementation of APIs.”

APIs (Application Programming Interfaces) are a set of instructions and standards established by software for connecting and interacting between platforms. They are a kind of bridge to connect applications.

What companies say

By contacting Access, the UOL questioned the company about the flaw or vulnerability that allowed the data leak. In addition, he asked whether the leak occurred from Access’s own application or from a client connected to Bankly.

The report also made room for the company to comment on the fact that the leak exposed customer data from other institutions, not just Access.

Access has not commented on these specific issues. Also sought after, Méliuz did not comment.

other cases

Since the beginning of Pix, in November 2020, the Central Bank has already recorded three incidents involving registration data. In August of last year, data on Pix keys was leaked from Banese (Banco do Estado de Sergipe). The incident with Acesso occurred in December.

On Thursday (3), the BC reported a new case that took place in January this year: the leakage of registration information on 2,112 Pix keys from Logbank.

Despite the occurrences, the BC defends that there is no vulnerability in its system, but there are security flaws in the institutions.