The Central Bank of the Argentine Republic (BCRA) announced this Monday a change in the mechanism for depositing money into virtual wallets. Two days later, the Minister of Economy and candidate for president for Unión por la Patria, Sergio Massa, ordered the Central measure to be repealed. In one more round of the fight between traditional banks and fintech, the debate on the security of the applications in which money is handled was put on the table: how to secure accounts so as not to be scammed?
What the BCRA had ordered was that from December 1 the immediate debit system would no longer run (DEBIN) and the “pull transfers”, now available in apps like Ualá. This unleashed a crossover between the creator of Mercado Libre and Mercado Pago, Marcos Galperin, and the entity that regulates banking institutions. What was going to change and why was it talked about again? online account security?
“DEBIN is an immediate debit where everyone can put a CBU and withdraw funds from any account and that permission is saved to continue withdrawing money in the future. The positive thing is that it is super easy to handle and you can only ‘bring’ money from your own accounts,” he explains to Clarion Ariel Setton, economist, expert in payment methods. The BCRA itself, in a section of its page, recognizes that it is a method easier and faster.
“But this also has a potential problem: it is not reversible. From the bank you use you have no way to cut off that money transfer. So when someone’s cell phone is stolen and they have a virtual wallet like Mercado Pago, the criminal can open the app, use DEBIN from the user’s bank account and not only empty the funds from the Mercado Pago account but also from the bank accounts. associated,” he warns.
“The financial system is trying to solve this and they do it with the system of ‘pull transfers’which is the open banking in Europe or what Brazil wants to implement. This means two things: that to register an app like Mercado Pago or any other virtual wallet, you don’t just have to have the CBU but, the first time, a complete authentication factor, such as the bank login, ID, password, username and security token, to prove 100% that only the legitimate account holder can fund money,” continues the specialist. .
Until now, The DEBIN system does not require this entire authentication process: By simply entering a CBU from your own bank account, the app already allows the flow of assets from traditional banking to the virtual wallet.
But also, an important part of this is that the process can be interrupted. And this is fundamental in the case of phone theft: “The other superior part is that, in this case, pull transfers are reversible in terms of their permissions: once you give permission to Mercado Pago, the permission is maintained , but if your phone is stolen, you can go to a computer and cut those money transfers from Mercado Pago, Ualá from your online banking. That way you interrupt the theft of money against people whose devices were stolen.”Argues Setton.
“The rule related to recurring DEBIN places the obligation to return the money debited on the head of the company that requested the debit, minimizing the possibility that a user will be financially affected by a DEBIN fraud,” complements Alfonso Martel Seward, Head of Compliance in the virtual wallet Lemon.
Of course, the process adds a friction step and that is the point at which Mercado Pago complains: according to the Fintech Chamber, DEBIN is used every month for more than 4 million users, who carry out an average of 7 monthly transactions.
Mercado Pago also ensures that, in the tests carried out for the implementation of the pull system, “the percentage of approved transfers reached only 10% of the total operations initiated by users, while Debin registers a success rate of 62%” .
The company published a thread on , to go to an ATM.”
Due to a rule from the Central Bank (BCRA) that was promoted by traditional banks, more than 4 million people will have difficulties depositing money into their Mercado Pago digital account.
— Mercado Pago (@mercadopago) September 25, 2023
“From a user experience point of view, obviously it is easier to transfer money through DEBIN and now there is more friction: putting in complete credentials, a token and so on, perhaps for a large part of the users it is the limit that makes it impossible to close that account funding,” adds Setton.
According to the BCRA, “these modifications do not alter in any way the ability of users to manage their funds among the different providers of financial products.” But two days after its publication, Massa came out to ask the Central Office to repeal the measure:
A MEASURE THAT BENEFITS USERS OF ELECTRONIC WALLETS
Today a decision was announced that affected users of electronic or virtual wallets. I want to inform you that I asked for the repeal of that rule. I also asked virtual wallets to lower the… pic.twitter.com/aCFptqikYT
— Sergio Massa (@SergioMassa) September 27, 2023
But Mercado Pago says that the DEBIN “It has the lowest fraud rate recorded in the country, with 0.02% of total transactions).” However, beyond the numbers, multiple users have reported theft of assets or loans in their names without resolution of the conflict: many lose money and wait for a response that never comes.
Now, beyond this fight between banks and virtual wallets, the discussion once again raises the basic security measures of an online account: How to avoid fraud and theft of the money we have both in banks and virtual wallets?
Authentication and the second factor
He second authentication factor remains the most effective antidote to avoid account compromise. In fact, pull transfers aim to attack this problem.
A second factor, called MFA or 2FA, is a security filter to protect accounts from unauthorized access. Taking into account the enormous number of data leaks that have occurred recently (PAMI or CNV, for example, in recent months), the second factor is a brake to prevent a cybercriminal from accessing our data.
The maxim of account security divides authentication into at least three factors: something the user knows (a password, for example), something they have (a token as used by banking apps or Google Authenticator) and something that “is” the user: his fingerprint, his face (biometrics).
In the case of Mercado Pago, the application allows you to activate facial recognition or fingerprint to enter the application: thus, it is not enough to simply unlock the phone with a key, pattern or PIN, but this second factor is needed, which, would be, something that the user “is”.
This can be activated within the application and is a measure that will prevent a third party from accessing the app where the user can have their money.
How does a scammer enter Mercado Pago once he has stolen a phone and managed to break the password if he has a second authentication factor? You simply cannot: would need the victim’s fingerprint or face to unlock access to the app. And although there are ways to achieve this, the effort, time and even money that breaking this second factor can require makes the criminal give up.
How to activate the second factor in Mercado Pago
The second factor in Mercado Pago is something that the application “nudges” the user to do. Anyway, it can be activated from the settings:
- Go to “Your Profile”
- Select “Security”
- There you have to look for “Two-step verification”
- Within “Phone”, you can enter the phone number to receive an SMS to log in
- You can also select Google Authenticator, an application that can be downloaded from Gogole Play or the App Store, for free.
You can also apply this security measure within the application:
- In Androidyou can activate fingerprint, PIN, pattern or facial recognition
- In iOSTouch ID, passcode or Face ID
“It is essential that the user has security measures activated on their phone’s lock screen, so that your personal information is not violated. The security method that users use to unlock their phone screen also serves to protect the Mercado Pago app. Our application does not allow access to phones that do not have some type of security measure activated (eg pin, pattern, fingerprint, face ID). This means that it is also requested when they open the app or make any money movement. If the device is Android, they must activate their Fingerprint, PIN or Pattern. AndIf the device is iOS, you must activate Touch ID and code or Face ID and code”, explained from Mercado Pago to this medium.
This way, if the cell phone is stolen, it is more difficult for the thief to extract the money from the accounts. Mercado Pago also highlighted the function of “trusted people”: “Users can designate up to five friends or family members so that, if necessary, they report the theft or loss of their device. When a third party reports what happened, they are closed all sessions and all devices are unlinked so that no one has access,” they explained.
Beyond this, the discussion about the DEBIN system continues regarding scams. “In view of Massa’s position, it would be more advisable to give an adaptation period for users to make the onboarding in pull transfers of between 6 and 9 months, maintaining DEBIN as a funding instrument, so that both live, and then limit the DEBIN to its initial objective: to be a means of payment“Setton closes.
The fight between BCRA and Mercado Pago served, in any case, to remind users that the second authentication factor is the safest method to avoid compromise of accounts: not only from banking applications, but from social networks, email email and anything that has personal information that can be used against us.