Since the beginning of the year, a number of applications have intrigued the development of Pix: there are people who identify themselves as “sex people” and share their keys to receive calls (and money) from followers; and there are people who send R $ 0.01 by texting their loved one. The annotation feature also has a dangerous side: it can send HTML code to contacts, potentially making room for scams.
In a statement for TecnoblogThe Central Bank explained that they included an obligation towards Pix participants to only acknowledge secure HTML tags in the text of annotations. The rule is in effect on January 15, 2021.
This is outlined in the Minimum User Experience Requirements, which are set out by Pix. “The ‘Description’ field must be clean and only allow secure HTML tags,” said the latest version of the document.
How Pix annotations work
THE Tecnoblog has tested Pix notes at 10 financial institutions, including Itaú, Bradesco, Santander, Nubank, Caixa, Banco do Brasil, Inter and C6 Bank. In our analysis, we note that implementation of this feature is quite contradictory.
HTML codes can be sent via Pix through Nubank, Bradesco, Banco do Brasil and Caixa. That is, the receiver can get something like the example below:
<a href="https://tecnoblog.net/404942/bc-muda-regra-do-pix-mas-mantem-mensagens-com-codigo-html/golpe.com">Clique aqui</a>
If a bank’s application shows this, the text becomes a clickable link that could lead the user to a phishing site to steal data.
Of the 10 banks we analyzed, none converted HTML into clickable links. However, the possibility of abuse remains; there are 734 accredited organizations for Pix, and each performs this function differently.
BC can punish banks for not displaying Pix notes
It is best to do as Itaú, which sends annotations via Pix removing characters like <, / and = which are used to generate links. Meaning, the above example will only reach the recipient as:
a href="https://tecnoblog.net/404942/bc-muda-regra-do-pix-mas-mantem-mensagens-com-codigo-html/golpe.com"Clique aquia
This assumes that the note reaches the recipient. Caixa and Santander simply don’t receive text messages via Pix; while Inter and C6 do not receive or send this type of data.
BC told Tecnoblog that all organizations with Pix must send the message if it is inserted at the start time. “Participants who fail to comply with this requirement are subject to the penalties set forth in the Pix Regulations,” the statement said.
|Bank / fintech||Send messages via Pix?||Did you receive messages via Pix?|
|Nubank||Yes, submit the full HTML code||Yes, includes HTML (but cannot be clicked)|
|Bradesco||Yes, submit the full HTML code||Yes, but delete characters like <,> and =|
|Bank of Brazil||Yes, submit the full HTML code||Yes, but delete characters like <,> and =|
|Cashier||Yes, submit the full HTML code||Are not|
|Itaú||Yes, but delete characters like <,> and =||Yes, but delete characters like <,> and =|
|PicPay||Yes, but remove the text in the <> tag||Yes, but delete characters like <,> and =|
|Santander||Yes, but let’s convert||Are not|
|Inter||Are not||Are not|
|C 6||Are not||Are not|
|Neon||Are not||Are not|
Central Bank makes a few technical requirements for Pix money. How official documents, the message is contained in the string field “infoAdditional”, which can be up to 72 characters long (depending on the size of the Pix key). Its use is optional, ie the customer does not need to fill in this field.
Spam via Pix?
The message function is designed for something much simpler, such as “my barbecue” or “a gift for you”. Real-world usage, however, is probably beyond what BC imagined.
For example, at the beginning of the month we have a report by Matheus Siqueira on Twitter: “My cousin broke up with his girlfriend because she cheated on him, then he blocked EVERYTHING; In order to talk to him, she started sending a few Pixels with an apology text.
BC explained for Leaf This will not give you the option to block payments to avoid this kind of situation: “what a user can do is configure the organization’s application for which he holds an account so as not to receive the message. newspaper”.
This can open up the possibility of spamming via Pix, especially because BC requires banks to display a description associated with each transaction. However, as shown above, some customers still do not receive these messages.
Also, certain people are pursuing exactly this kind of interaction. Some people reveal their Pix keys – such as their social security number, email, or cell phone number – in order to receive money and even text messages about possible romantic interests. They are called “fairies”.
However, BC warns CNN Brazil that “Pix is a means of payment, not a social network”. The agency also requires caution when sharing Pix keys over the internet, as they may involve sensitive personal data. It is recommended to use a random key, a little less practical, but more secure.