This is the first week of operation of the Pix. The debut was marked by some difficulties, but nothing worries the user more than the security factor: is the system prepared to mitigate fraud or theft, for example? To Tecnoblog, O central bank guaranteed that it did and scored some of the protection mechanisms.
Pix: transfer limit
One of the mechanisms is the limit of transfer of values. This, however, is not defined by the Central Bank. It is up to each institution participating in Pix to establish the maximum value for carrying out transactions that their customers can count on.
The definition of limits can be based on several criteria, such as customer profile, opening hours and service channel (application or ATM, for example). The institution can define limits for each transaction and for the total number of operations carried out in a day or month.
In addition, the limit may vary for the same customer depending on the circumstances. The rules for this depend on:
- of the day (useful or not);
- the schedule (6:00 to 20:00 or 20:00 to 6:00);
- the service center (desktop or mobile);
- the form of initiation (Pix key, QR Code);
- and ownership (for yourself or someone else).
Also according to the Central Bank, the financial institution must give the customer the option of requesting a change in the limit, accepting requests for a decrease in value. If the request is for an increase, the institution may accept it or not, according to its own criteria.
It is also necessary to take into account that the rules for setting limits may change based on market observation. We can draw a parallel with the withdrawal limits at ATMs. Each bank works with a daily withdrawal limit at ATMs.
It is common for the limit to be even more restricted between 22:00 and 6:00, usually around R $ 300. Restrictions on ATM withdrawals at night were adopted in the late 1990s as a reaction to the cases of theft and kidnapping that were on the rise at that time.
The issue of the transfer limit is important because a mechanism of this type can prevent the user from suffering a great loss if he is being coerced into making transactions via Pix. This can happen in case of lightning hijacking, for example.
But, in this regard, the Central Bank explains that the system has “anti-fraud engines” operated by the institutions. These mechanisms are capable of analyzing a series of parameters to identify atypical transactions.
If any value movement raises suspicion, the transaction will go to an analysis. Under these circumstances, the operation will not be performed within 10 seconds. Instead, the transaction can take up to 30 minutes to complete or, at night, up to 60 minutes.
The user will be notified if this happens. The retained transaction will be subjected to a thorough check to identify whether a fraudulent transaction is underway there. To a certain extent, this is a similar approach to that of credit cards: although frauds in this modality are frequent, most of them are blocked by protection mechanisms.
In case of suspected fraud or consummated fraud, a marker is triggered immediately within the Directory of Transactional Account Identifiers (DICT), the database that records each user’s keys. Thus, the other institutions may block operations related to the accounts involved.
Still regarding the risk of kidnappings and other crimes, the Central Bank reinforces that transactions via Pix are fully traceable because they correspond to account-to-account operations. Cash withdrawals, on the other hand, are not tracked (the bank does not register the recipient of the money), which facilitates criminal action.
Reimbursement in the event of fraud
A transaction via Pix cannot be undone. Therefore, a question that has arisen in recent days is: is there a refund in case of fraud? On its website, the Central Bank explains only that “it will be up to the payment service provider to analyze the case of fraud and the eventual reimbursement”.
This is indeed a delicate issue. Credit card fraud, for example, tends to be reversed only if it is clear that the action did not occur due to failure of the user’s procedure.
That is why the so-called “motoboy scam” (when the victim receives a fake call on behalf of the bank that directs him to cut his card and hand it over to a motoboy), for example, is usually treated in court. In these circumstances, the institution may refuse to make amends because the person was the victim of a social engineering action, not a systemic vulnerability.
THE Brazilian Federation of Banks (Febraban) was sought by the Tecnoblog to comment on Pix’s safety, but it had not returned until the publication of this text.
Anyway, in a workshop held at the end of October, the organization indicated that the biggest concern with security is not within the Pix system itself, but in actions that involve precisely social engineering, such as phishing messages received by e-mail. or WhatsApp.