How Pix's defense failed and what the lesson is for the Central Bank

The losses are still being calculated, one person has already been arrested , but exactly what happened and how is still being investigated by the Civil Police of São Paulo and the Federal Police (PF). Three days after the largest hacker attack in the history of Brazil used valid access credentials and invaded the systems of C&M — a technology company that mediates access for small banks and fintechs to the Central Bank's systems, including Pix — the national financial system as a whole is still recovering from the shock and trying to better understand the size of the scam.

The embezzlement could reach more than R$1 billion — BMP alone, a digital bank that is one of the six C&M clients affected, reported the theft of R$541 million to the São Paulo police. Initially, the money did not affect customers and came from the financial institutions' reserve accounts at the Central Bank.

In any case, according to experts interviewed by Gazeta do Povo , there are practical and relatively simple actions that can and should be taken by both financial institutions and their service providers, as well as by the Central Bank from now on, to prevent this type of attack from happening again and creating a systemic risk for the national financial market. Most of the measures already exist and have supporters in large banks and companies, but they are not mandatory — hence the responsibility of the Central Bank to tighten these regulations, in addition to creating more internal barriers.

“Apparently, they used valid logins and passwords from an intermediary company to obtain valid logins and passwords from financial institutions that were clients of this company, and then used this information to access and move the reserve accounts of these companies at the Central Bank,” says Micaella Ribeiro, an identity and access specialist at IAM Brasil, a company specializing in access controls in general. She emphasizes that the case is being handled with great confidentiality, so there is no detailed information about what happened.

The digital ecosystem that protects Pix needs to have reinforced standards to avoid systemic risk for the national financial market.

According to the expert, the Central Bank's systems are secure. “Most hacker attacks use valid access to invade a system; it is very difficult to simply break security and invade without valid credentials,” she says.

“There are Central Bank resolutions that require companies to take a series of security measures to participate in this system. Large banks go beyond this and implement more than what is required, but it may be necessary to specify some things better to avoid more problems in the future.”

Single credential and access password could not have so much power, says expert

After the attack, those working in the sector understand that it may be time to tighten the rules that are already in place. “The Central Bank’s manual for connecting to its systems is quite comprehensive and provides a very complete overview of security measures, but some very important things are listed there as recommendations rather than mandatory,” says Luiz Henrique Barbosa, executive director of Swarmy Tecnologia , a company specializing in security and digital fraud prevention, with a focus on the financial market.

“The fintech ecosystem, where the problem occurred, has less rigid regulations than the big banks, which connect directly to the Central Bank system. This is desirable, as it is what makes all the innovation and competition we have seen in the sector possible, but it may need specific adjustments,” Barbosa observes.

The first would be for the Central Bank to establish stricter rules, according to the reality of each financial institution, and require the creation of several layers of access and authorization within the financial institution and the companies that act as a link between the banks and the Central Bank so that transfers of sensitive accounts, such as the reserve account, are more protected in the event of a leak of a login and access password.

“I also wonder how a single credential and password for accessing the systems intermediary company could have so much power , to the point of ultimately being able to access the movement of so much customer money, where the access barriers and alarms were,” questions Barbosa.

In this “onion” scheme, each access and financial movement in the bank’s internal accounts is subject to approval by someone one level above, with real-time notifications on the cell phones of those involved, if applicable — it is also possible to establish limits on the resources that each management level can move without the consent of higher managers, in addition to requiring the participation of more than one access credential simultaneously or even only authorizing transactions through the use of specific physical devices and, thus, limiting the damage in the event of an attack.

Brazilian "Paper Money Heist" in the digital world

Secondly, both the intermediaries providing access to the Central Bank's systems and the financial institutions that own the money must and can establish real-time monitoring alerts on financial transactions, which notify the responsible sectors and professionals if something unusual is happening with the accounts at the time of the transactions, including automatic blocking until the transaction is validated at the appropriate levels.

Finally, in addition to demanding more rigor in all this by issuing specific rules, the Central Bank itself can prevent the withdrawal of funds from reserve accounts at night, for example (as was done in the attack in question), or in disagreement with values, pre-authorized accounts and times previously registered by financial institutions and their service providers with the Central Bank.

“In short, there is room for improvement on all fronts ,” says Micaella Ribeiro. “This case shows that cybercrime is here to stay and no longer just attacks unsuspecting individuals in small-scale online scams. This case seems to be the Brazilian ‘Money Heist’, but in the virtual world, and it leaves a huge warning and lesson,” says Luiz Henrique Barbosa.