The registration of Pix keys has already been released, although transactions with the new payment system of the Central Bank will only be available as of November 16, 2020. However, even at that first moment, it is necessary to be aware of fraud and theft of data that take advantage of the novelty. Learn how to register Pix keys securely.
In the first five business hours of Pix’s key registration release on October 5, Kaspersky identified more than 30 fraudulent payment system-related domains. The concern of Fábio Assolini, a senior security specialist at the company, is that this number will only grow, this being the first step in carrying out a coup.
As it is a financial system, the interest in Pix is great. After all, it is much faster to make a transfer by this method. But, Pix keys must be in the wrong hands for the scam to work.
Phishing emails started even before the registration was released, using the name of popular banks to send a link to the pre-registration of Pix keys. In the fraudulent attempt identified by Kaspersky, the website to which the link took the user requested a bank password, mobile phone number and social security number.
How to safely register Pix keys
The safest way to register a Pix key is through the bank or fintech application, voluntarily and without starting any link received via SMS or e-mail. In institutions that are already qualified to register the key, an option will be available for the payment system of the Central Bank.
Register the Pix key in the box
- When accessing the account, on the home screen, touch “Pix”;
- Select the option in the menu;
- Choose “Register Key” and follow the next instructions on the screen.
Register key on Nubank
Nubank put the button to register the Pix key on the home screen. Above all other account options. Just tap “Register your keys” and follow the instructions on the screen.
Register Pix key on PicPay
- Access the settings through the gear icon;
- Choose the option “My Pix”;
- Follow the instructions on the screen to register one or more keys on PicPay.
Generally, when entering a bank or fintech application (like the example in the image below) the option should be clear and highlighted on the home screen, if a pop-up does not appear to announce the news and request the registration of the keys.
There is an intense dispute between the banks themselves to have the main keys of the customers: e-mail, telephone and CPF. As the system facilitates the transaction for these identifications, it is advantageous for the bank to have them (although it is possible to do portability), but we have already discussed this in Tecnocast 160 – Everyone wants your Pix.
Why are my keys important?
The Pix key is directly linked to the customer’s bank account, to receive or make transfers and payments. But keeping it safe goes beyond that: even though some of this data is easily found on the internet, no one should spread the word about which ones are used and in which bank.
This facilitates the theft of keys. Say someone registered the email [email protected] as the main form of receipt. A scammer can devise a strategy to migrate that key to his account and thereby receive the funds on behalf of the victim.
Hypothetically, this customer could receive an email on behalf of the bank, requesting data related to the key already registered, which, in fact, can be tokens or confirmation information so that the key is ported to another account.
Pix + SIM swap
Another example is fraud with the so-called SIM swap, a method that allows you to transfer an existing number to a new chip. This technique is used to clone WhatsApp and ask friends or relatives for money. But, it can be used to steal other credentials and, in this case, register a Pix key with someone else’s phone.
Keeping key and bank confidentiality is essential
Financial information is sensitive data. The less public the key, the better and even easier it is to identify a coup attempt. Telephone, CPF and e-mail are easy to memorize and facilitate transfer, but care must be doubled.
The same occurs when saying which bank is used in Pix. Receiving an email (fake) from a random bank makes it easy to identify that it is a scam (since the person has no account there), but when the email received comes from the bank you use, the flea itches behind the ear – trust the message or not?
What to do?
Attempts will always occur. Our best defense is information. As Kaspersky warns, it is necessary to be suspicious of any content that arrives by SMS, email or social networks and not to click on links contained in these messages. The recommendations are:
- Check the sender of the email: if the sender of the email is the same as that of the bank’s website, it is a legitimate contact;
- Check the website address (URL) the link took you to: if it’s the same from the bank, all right. Otherwise, do not proceed and do not enter any information about yourself;
- Links can also be broken: since it is not possible to confirm who the person on the other end of the line is (a scammer may also know your personal details);
- If you’re not sure if the page is real, do not continue.
In addition to the theft of information, fraudulent websites about Pix may invite the user to download malware to infect the device in use, allowing remote access by a hacker and this can complicate matters further, since some bank apps do not require the customer to enter a password or biometrics to login.
It is better to choose to make a voluntary registration of keys through the bank or fintech application instead of following links or notifications that are intended to lead to the registration page. This is the safest way to register. And, like all internet browsing, maintaining information security is important in modern times, take care of your data.