Widespread weaknesses recently revealed in the Brazilian banking system have already resulted in up to US $3.75 billion in fraud. For readers unfamiliar with Brazil and its use of the “boleto” (a printable document issued by banks and businesses that allows easy financial transactions), Professor Rodrigo Fonseca of Brown University’s Department of Computer Science offers a sobering summary: “This was an exploit on a fragile system that was designed for ease of use, not security. It was absolutely preventable.”
The fraud was first detected in August, when a friend of Fonseca’s documented the existence of a false boleto that caused funds to be paid to an account other than the payee’s. Rodrigo opened an investigation, revealing flaws in the system ranging from functional issues such as opacity (payers are unable to verify payee identity with certainty) to security lapses such as DNS poisoning in a large Internet provider and a bank failing to use standard security mechanisms such as Secure Hyper Text Transfer Protocol (HTTPS). Use of Secure Domain Name System (DNSSec) would have prevented the fraud.
Although the weaknesses are now better understood, the problem has not yet been solved. "Until then," Rodrigo explains, “people who use boletos should never trust bar code numbers without verifying them with the issuing bank. They should also avoid web sites that offer to reissue boletos, because some of them are fraudulent. And they should continue to insist that banks be required to consistently implement well-recognized security standards to prevent future attacks.”
Rodrigo’s account (in Portugese) of the fraud and his work is featured here.