Since the beginning of the year, there have been some curious applications for the Pix: there are those who define themselves as “pixsexual” and share their key to receive calls (and money) from followers; and there are those who send transfers of R $ 0.01 with messages to the loved one. The annotations feature also has a dangerous side: it is possible to send HTML code to contacts, potentially making room for scams.
In a statement to the Tecnoblog, the Central Bank explains that it has included the obligation for Pix participants to only admit secure HTML tags in the text of the annotations. The rule began to apply on January 15, 2021.
This is stated in the Minimum Requirements for User Experience, which are part of Pix’s regulations. “The‘ Description ’field should be sanitized and only allow secure HTML tags,” says the most recent version of the document.
How Pix annotations work
O Tecnoblog tested Pix’s notes at 10 financial institutions, including Itaú, Bradesco, Santander, Nubank, Caixa, Banco do Brasil, Inter and C6 Bank. In our analysis, we note that the implementation of this feature is quite inconsistent.
It is possible to send HTML code through Pix via Nubank, Bradesco, Banco do Brasil and Caixa. That is, the recipient can receive something like the example below:
If the bank’s app rendered this, that text would become a clickable link that could lead the user to a phishing site to steal data.
Of the 10 banks we analyzed, none convert HTML to clickable links. However, the potential for abuse still remains; there are 734 institutions accredited to Pix, and each one implements this function differently.
BC may punish banks that do not display Pix notes
The best would be to do the same as Itaú, which sends annotations via Pix removing characters like <, / and = used to generate links. That is, the example above would reach the recipient only as:
a href="https://tecnoblog.net/golpe.com"Clique aquia
This assuming that the note will reach the recipient. Caixa and Santander simply do not receive messages via Pix; while Inter and C6 do not receive or send this type of data.
The BC states to the Tecnoblog that all institutions with Pix must send the message if it is inserted at the time of initiation. “Participants who do not comply with this requirement are subject to the penalties provided for in the Pix Regulation,” says the statement.
|Bank / fintech||Send a message via Pix?||Do you receive a message via Pix?|
|Nubank||yes, send complete HTML code||yes, including HTML code (but not clickable)|
|Bradesco||yes, send complete HTML code||yes, but it removes characters like <, > e =|
|Bank of Brazil||yes, send complete HTML code||yes, but it removes characters like <, > e =|
|Cashier||yes, send complete HTML code||not|
|Itaú||yes, but it removes characters like <, > e =||yes, but it removes characters like <, > e =|
|PicPay||yes, but remove text within <> tags||yes, but it removes characters like <, > e =|
|Santander||yes, but convert ||not
The Central Bank makes few technical requirements for Pix notes. As the official documentation explains, the message is contained in the “infoAdditional” field, of the string type, which can be up to 72 characters long (depending on the size of the Pix key). Its use is optional, that is, the customer does not need to fill in this field.
Spam via Pix?
The message functionality was designed for something much simpler, like “my part of the barbecue” or “a gift for you”. However, use in the real world probably exceeded the scope that BC imagined.
For example, at the beginning of the month, we had a report by Matheus Siqueira on Twitter: “my cousin broke up with his girlfriend because she cheated on him, then he blocked EVERYTHING; to be able to talk to him, she started sending several 1 cent Pix with messages apologizing ”.
The BC explained to the leaf which will not give you the option to block payments to avoid this type of situation: “what the user can do is configure the application of the institution in which he keeps the account so as not to receive notification”.
This might open up the possibility of spam via Pix, especially since the BC requires banks to show the description that accompanies each transaction. However, as shown above, some customers still do not receive these messages.
In addition, certain people are after exactly this type of interaction. There are those who reveal their Pix key – such as social security number, email or cell phone number – to receive money and even messages of possible romantic interests. They are called “pixsexuals”.
However, the BC warns the CNN Brazil that “Pix is a means of payment, not a social network”. The agency also asks for caution when sharing Pix keys on the internet, as they may involve sensitive personal data. The recommendation is to use a random key, which is a little less practical, but is more secure.