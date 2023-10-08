Entity analyzed the security of tools from 4 institutions and surveyed how many complaints customers registered

Idec (Brazilian Institute for Consumer Protection) released a report on Monday (October 2, 2023) criticizing the ease with which someone’s bank account can be accessed via a cell phone application, through scams. The entity analyzed, in the document Hacked Cell Phone Scam, whether the banks Nubank, Bradesco, Itaú and Santander have mechanisms to reduce the chances of scammers being successful when trying to take money from customers.

In the 1st stage of the process, which lasted a total of 6 months, Idec collected how many complaints customers registered in 2022 against each bank through the Reclame Aqui website. Nubank had the most complaints. Although many of these complaints were about stolen cell phones, some of them had to do with the remote access scam, including reports spread across social networks.

Scam

As the institute explains, the scam is carried out when a criminal pretends to be an employee at one of the banks and contacts the victim, whether via Whatsapp, SMS, email or even a phone call. The scammer provides some of the customer’s personal data to convey credibility, maintaining a formal tone similar to that used by a bank employee. Thus, he gains the trust of the victim, who, when requested, downloads an application on their cell phone, which, in reality, is a program that allows remote access, controlled by criminals. In this way, it becomes possible to make money transfers, loans, purchases and other types of transactions in the bank account.

After questioning Nubank about the complaints, Idec went after the country’s 3 largest private banks: Bradesco, Itaú and Santander, questioning whether they had ever had customers who fell for scams and what the institution’s attitude was. One of them responded that they were able to completely block remote access to the application, which led the institute to ask other banks why they didn’t yet have this tool available.

Tests

After 1 month, Idec tested remote access to financial institutions’ applications to find out whether they had advanced in developing mechanisms capable of preventing access to customer accounts. Only 1 of the tested banks was able to block access and, from the institute’s perspective, it was mentioned by Idec as a reference to the others. The other 2 banks were notified of the results.

Idec decided to preserve the details of the tests, including the name of the bank that was successful, to avoid the spread of failures and facilitating the misuse of remote access as a criminal practice. Therefore, these details are not present in the report released by the Institute

Direct

The report evokes Article 14 of the Consumer Protection Code and Summary 479 of the Superior Court of Justice (STJ) to remember that victims of scams like this have rights that they can claim. When the bank causes damage to customers due to proven security flaws, it has a duty to repair such damage to those who were harmed. In addition to the report, Idec also made a petition model available for anyone who needs to take legal action to seek compensation for the damage suffered.

A Brazil Agency sought out Nubank, Bradesco, Itaú and Santander to take a position on the survey. Bradesco has not yet commented.

In a note, Santander states that it has “effective protection mechanisms for the security of your application’s operation by customers”. “These mechanisms even have several technologies capable of identifying risk situations and, thus, acting in the effective prevention of scams and fraud by third parties. The Institution highlights its confidence in the integrity and efficiency of its protection mechanisms and systems, as well as in the operational security of its channels, products and services, providing protection and security to customers”he adds.

Nubank reported that the situation in which the Idec test was carried out differs, in a series of factors, from a real situation of an attempted coup. The institution also says that it is important for customers to keep their cell phone application updated. “Customers who have their applications updated already have additional layers of protection, including mechanisms that effectively block the use of the Nubank application via remote access”says the bank note.

Finally, Nubank reinforces that, since it was created 10 years ago, it has constantly invested in security: “This continuous improvement work includes preventive tools that give customers more control over their use of the app; internal mechanisms for detecting suspicious transactions; and campaigns with tips and guidance on how to identify and protect yourself from scam attempts”.

Itaú Unibanco also highlighted in a note that it takes security as one of its priorities and that “continuously invests in systems and measures to protect its customers, in addition to carrying out communications and scam prevention campaigns aimed at them”.

“Itaú also reinforces that the bank’s devices used by its customers have security mechanisms that prevent external access by third parties”adds in the message forwarded to the report.

With information from Brazil Agency.