With the launch of the payments function by the WhatsApp done on Tuesday, 4th, the messenger has everything to become one of the biggest channels of money transfer from the country. The application is used by 160 million people in Brazil and, during the pandemic, it was an outlet for many businesses that needed a direct channel of conversations with their customers. According to data from Zendesk, a company that develops software for customer service, consumers increased by 118% the use of WhatsApp to communicate with companies.
Precisely because of its size, WhatsApp is also the target of coup plotters, who often break into accounts on new cell phones or impersonate people using different numbers, in order for those people to make transfers or send money to scammers. The prevalence of these scams on the platform and now the possibility of paying for WhatsApp has scared many users, who fear that the new feature will be abused by bandits.
A survey conducted in 2020 by internet security company PSafe suggests that 8.5 million Brazilians have had their WhatsApp cloned as a result of a scam. Until then, users’ biggest concern was with leaking private conversations. But the survey reveals that 26.6% reported sending scam links to other contacts and 18.2% said that criminals used cloning to solicit money from friends. It is in this area that WhatsApp Pay has not yet given a clear answer on how users will protect themselves.
For Mauricio Paranhos, director of operations at Apura, a company that develops systems and advises on cybersecurity, the capillarity of the app is the biggest risk, but the platform is safe, as long as users meet the basic security requirements. “WhatsApp is another means of payment, but because it uses the systems of Facebook Pay and have partnerships with a dozen banks, it manages to reach many more people. Therefore, it is necessary to consider that in the middle of this universe of transactions there will be risks as in other methods ”, explains Paranhos, who states that users must enable password and biometrics to authorize a transaction and that it is recommended that users have authentication in two factors enabled – sort of second WhatsApp password.
For him, among the main risks is the scam in which bandits call, do a social engineering job and end up asking for the WhatsApp authentication code sent by SMS, as if it were the code to earn a benefit or validate a promotion, for example . “Don’t pass codes received by SMS to anyone, enable two-factor authentication. Whoever follows these recommendations and good practices minimizes risks ”, he said.
Another factor that can subject users to vulnerabilities is the unfamiliarity with this type of service. Even Pix, launched in October 2020, still raises doubts about the registration of keys, the use in non-bank apps and, even more recently, the application to replace boletos. For Denis Riviello, Head of Cybersecurity at Compugraf, a company that provides data privacy solutions, the scams must take advantage of the launch of the new feature. He says the trend is common, as criminals tend to take advantage of users’ lack of handling with the news.
“A tip is: be suspicious whenever you are faced with an unexpected situation such as a charge, for example. Call a phone from the bank or the charge you know and confirm to make sure it is due, ”advises Riviello, who also emphasizes the importance of researching and searching for any company before making a purchase through WhatsApp.
Recurrent pitfalls, so to speak, must still stay on the radar. Among them, the sending of fake website links in misleading messages. Despite being a known practice, when it comes to imitating a service that was actually hired, inattention can open an opportunity for the hacker. Claudio Bannwart, regional director of Check Point Brasil, a cybersecurity provider, recommends that users never download the reservations with the links received by WhatsApp or SMS. “This could end up leading to the installation of some malware or malicious program,” he explains. “The intention may be to steal information or even the password while you are typing during the transaction.”
Within the application, details about the user’s account are fully encrypted and protected. Even in cases of theft or cloning, there is no way to carry out transactions without a password, as in a common bank application. “The user cannot leave the password open in any other app, such as the Notes or Reminders application, for example, because then the criminal will be able to discover it and carry out transactions”, warns Bannwart.
In WhatsApp itself, it is possible to enable some privacy functions that can bring more peace of mind, recommends Bannwart. Going into settings, for example, it is possible to enable an option that only adds the user in groups that he allows. “There are certain security features in the app itself, but the main point is always to transfer the money to the right person and protect your password. This is for any financial transaction application, and not just WhatsApp ”, concludes the expert.
Who guarantees the security of WhatsApp Pay transfers and payments?
Despite being similar to PIX, WhatsApp Pay does not function as a digital wallet and is not responsible for managing any payment account, it only serves as a bridge between financial institutions. In this first moment, in addition to the users having a sending limit of 1 thousand reais per transaction and receiving up to 20 payments per day within the limit of 5 thousand reais per month, you must have debit, prepaid, or credit and debit cards from one of the partner banks – Banco do Brasil, Banco Inter, Bradesco, Itaú, Mercado Pago, Next, Nubank, Sicredi and Woop Sicredi, with the Visa and Mastercard flags . Payments are intermediated by Cielo.
And it will be through token technology that institutions will try to control another part of fraud attempts within the messenger — especially those that do not involve social engineering to occur. An example of how the token works was given by Visa. The company owns the Visa Cloud Token solution, which was first applied in Brazil, and which protects and removes confidential payment information, converting it into anonymized data and securely storing it. Once in the cloud, they can be activated on all user devices and directly integrated with banks.
As WhatsApp Pay uses a similar solution that is divided among all financial operators involved in the project, it is expected to be possible to keep transactions secure with the use of biometrics or solutions that assess incongruities in real time.
In this case, the confirmation of divergent data works like this: when a transaction is initiated, WhatsApp asks the bank if that information is, in fact, of the user. The bank then goes to the user using, for example, a notification via app, and asks him to confirm a random data, hoping to block a scammer who does not have all the registration information.
According to Visa, tokens primarily remove operational risks related to data protection for merchants, certifying whether a customer is a real person. The solution also allows Visa to update the latest security features, for both the network and the financial institution, without relying on a user download, for example. “Ensuring security is in Visa’s DNA and this was also one of the premises for us to agree to participate in the project with WhatsApp”, says Percival Jatobá, Vice President of Innovation and Solutions at Visa do Brasil.
The banner’s expectation for a massive use of the functionality was confirmed by a survey conducted in March by Morning Consult, where 79% of respondents said they wanted to use the new payment service daily. The challenge is to make sure security is not the reason for losing interest.