Nubank would be exposing CPFs of people who have accounts at other banks through a security breach. People who have already transferred or received money through the PIX from those who have a “roxinho” account may have been affected. The problem was exposed in a report released by The Intercept on Wednesday (24).
According to the vehicle, people’s data is being exposed within the bank’s own application. After opening a PIX transfer window, it is possible to access a list of all contacts who have already paid you or received a value from you. By clicking on one of the names, it is possible to access all the person’s bank accounts and even the CPF.
The lack of privacy is curious on one detail: it is only possible to check the registration of individuals who have accounts with other banks. If the user clicks on a contact who has a NuConta (name of the digital account at fintech), the CPF appears blurred.
The exposure contradicts, for example, a security document issued by the Central Bank (BC). The agency, which developed the PIX technology, points out that financial institutions should mask the CPF of users who receive a transaction.
“The selection of the key must return the data of the receiving user for verification: full name, masked CPF (ex: ***. 777.888 – **) / CNPJ, in addition to the amount and option to cancel the transaction before payment confirmation” , explains an excerpt from the document.
The problem also violates the General Data Protection Law (LGPD). Agents (governmental or private sector) can only store data from people who consent to an operation.
Possibility of blows
Nubank himself created, in October 2020, shortly before the start of the PIX payment system, a manual with tips to avoid falling victim to scams. In this context, the exposure of CPFs is a problem because it exposes the user to various crimes.
Criminals can use social security numbers to, among other things, open bank accounts, obtain credit cards and buy phone lines. With the registration in hand, the crooks are also able to access other personal data such as address, phone number, parents’ names and more.
In a note to Intercept, Nubank stated that it follows BC regulation and denied that the exposure of people’s CPFs in the user’s contact list is a security breach. The company stated that, in fact, the disclosure of the data is an “additional security for customers, as it allows them to easily send funds to accounts with which they previously transacted, reducing the risk of error in manual data entry or by sending the key that changed ownership ”.
Intercept also states that after sending the first clarification note, Nubank contacted the vehicle again. This time, fintech said the app would be updated to hide the CPF number.
Despite the company’s comment, during a test carried out this Wednesday by Tecmundo, the CPF number of users of other banks continued to appear complete, without any type of censorship. See, below, an example, with the numbers that were blurred by the report.