Brazil — PIX and Shovels to dig out fraud
What US faster payments industry can learn from PIX about the upcoming fraud vectors
The developing countries (India, Korea, etc) leapfrogged the developed ones in the mobile revolution
because they weren’t shackled by the legacy wired cable infra.
Now developing countries are leapfrogging ahead of the US when it comes to Fintech.
Brazil’s Central Bank must be the most innovative central bank in the world.
Over the last 18 months, we’ve seen the fastest rollout of a faster payment method in history — PIX.
- In 18 months, PIX adoption reached 124 million users. India’s UPI reached the same number of users in 4 years.
- In March 2022, over 1.6 Billion transactions were carried out on PIX.
I had a crash course in PIX this week. Here’s what I learned:
- No one carries cash in Brazil.
- Checks haven’t been used in Brazil since 2010 (people used a system similar to wires called Ted to pay their bills).
- With PIX, even the drink seller at the beach can be paid a couple of Reals.
- Faster payments means faster (and more innovative) fraud
- Just like Zelle scams in the US, PIX scams are proliferating in Brazil.
Any new payments tech comes with more fraud. These are the ones I learned about in Brazil:
1. Social media
- Fraudster uses your social media pic to create a new WhatsApp profile
- Fraudster then contacts your parents over WhatsApp saying, hey this is your son/daughter, I lost my phone and this is my new number
- Fraudster then requests your parents to pay a service provider e.g. a dog walker, saying hey dad, this is my dog walker’s PIX key. I need to pay them but I don’t have access to my bank, so can you do this for me.
Potential Solution: I’ve heard that Banco Central da Brazil (Brazilian Central Bank) is working together with the Big 5 banks and largest neobanks to create a repository of fraudulent counter-parties.
At Sardine, we recently unveiled a new product called Risk Insights, with a similar use case — allowing banks to query Sardine to find what we know about a counterparty’s risk before releasing funds to them via Zelle or other faster payment methods.
Summary: Creates fake profile → contacts parents → asks for money → gets money
2. Kidnapping — The most life-threatening
- As soon as PIX launched, people started being kidnapped
- Kidnappers would demand access to your bank account and force you to unlock your phone/bank accounts via FaceID/TouchID
- Once the phone and bank is unlocked, they create multiple counterparties and quickly disperse Reals via PIX
- Solution: To stop this type of fraud, the Central Bank immediately created the concept of limits in PIX. By default, your limits go down to 1,000 Reals after 6 pm. To change your limits at the bank, even if you verified yourself, you still have to wait 1 day. You can of course personalize your limits at your banks yourself.
In the near future, as Faster Payments methods (Zelle, RTP, FedNow) take off in the US, it’s entirely possible we are also dealing with some violent crimes. We all carry our banks in our pockets now. In the US as well, there would be a need to create withdrawal limits from the point of view of the governing body.
Open problems: If a kidnapper keeps you for >1 day, and forces you to change your limits, then all bets are off.
Summary: Kidnap → face ID → money transfer via PIX
3. Phone theft — The most common form of fraud
- You might be hailing an Uber or Taxi, and someone swipes your phone
- Most of the time the phone is already unlocked
- Now the thief is in your phone, and let’s assume your bank account is password protected
- However, your email client on the phone is always open; and so are text messages
- Most bank accounts are protected by multiple factors; however, account recovery typically has weak authentication
- So fraudsters can reset your bank password since they have access to your SMS and email
- Now that they are in your bank account, they create multiple counter-parties and send funds immediately via PIX
Not so good Solutions:
- Delete all fintech, bank and crypto apps from my phone. Delete even your password manager when traveling to Brazil
- Don’t walk with your phone out; which is a pain when you are a tourist and need maps to get around
- Consumers: Put a password or PIN code on your email if you have that option.
- Banks and FinTechs: Don’t let someone change their bank password via emails or texts alone. Use multiple factors, e.g. behavior related ones that we provide at Sardine — ask the consumer for their selfie, look at geolocation (brand new geolocation not associated with the consumer) and differences in behavior (typing behavior, swipe patterns).
Summary: Phone theft → reset bank login via email / SMS → steal money via PIX
Open problems: The fraud that is impossible to detect today is kidnapping, especially if the kidnapper forces you to change your PIX withdrawal limits. We’ll be investigating enhancing our Device Intelligence and Behavior Biometrics product suite with these capabilities.
- One potential solution would be for banks and neobanks to require video/voice authorization when you change your limits.
- During the voice/video authorization, detect signs of distress, multiple voices in background, gun (full or partial) in view.
Thank you to the various fintechs I got the opportunity to meet and learn from this week.
- Angela Strange, David Haber, Seema Amble, Gabriel Vasquez and all our a16z friends for inviting us on this trip down south
- Thales Freitas at Bitso
- Renato at Iugu
- Joao and Amanda at Dock
- Rafael Stark, Caio, Diego, Dio, Luiz at Stark Bank
- Stephany, Herbert, Rodrigo and Tulio at Fit Bank
- Fernando at Penheiro Neto
- Marcello at Lend