← Back to context

Comment by voxleone

7 months ago

PIX was developed entirely by the Central Bank of Brazil, an autonomous federal agency linked to the Ministry of the Economy. It’s widely hailed as one of the most important public technology innovations in recent years, now integrated into the everyday lives of millions of Brazilians.

But here's the problem: PIX’s source code is not public.

No external institution—be it a citizen, a researcher, a company, or even another government agency—can audit how PIX operates under the hood. This directly contradicts both the letter and the spirit of Article 16 of Law 14.063/2021.

https://d1gesto.blogspot.com/2025/06/brazils-pix-system-face...

5 comments

voxleone

Reply
gota  7 months ago

Disregarding the law (I'm ignorant) - why should PIX be "auditable"?

Almost everyone (very close to literally everyone) uses PIX and we have zero reported cases of mishap, errors or bad faith attacks...?

I quite frankly don't care that the system backed/created by the public services and imposed on banks is "closed"; to the point I'm generally curious as to what are the arguments for caring

Hope this does not sound dismissive - as a heavy user with no complaints for years, why should I care PIX is a black box?

  • closewith  7 months ago

    > Almost everyone (very close to literally everyone) uses PIX and we have zero reported cases of mishap, errors or bad faith attacks...?

    Earlier this month, hackers using credentials purchased from a C&M employee were able to generate unauthorised PIX transactions on client banks and steal at least BRL$ 500 MM, and maybe as much as BRL $ 5 BN, so it's definitely not fool proof.

    > Hope this does not sound dismissive - as a heavy user with no complaints for years, why should I care PIX is a black box?

    Brazilians in general are very accepting of government surveillance, with the omnipresent CPF and now complete disclosure of almost all consumer transactions to the State. It's always surprised me, TBH, given the very recent history of dictatorship and unbounded potential for abuse.

    • gota  7 months ago

      > Earlier this month, hackers using credentials purchased from a C&M employee were able to generate unauthorised PIX transactions

      To be clear - This was a "bank robbery" (inside job, given usage of credentials?) and in absolutely zero ways affects trust in Pix as a user

      As for your other point - thanks, our values and concerns are not aligned; it would be hard for us to agree on this

      1 reply →

rbanffy  7 months ago

I fail to see the relevance here - the APIs are public, but the software running the system isn’t. This is not great, but it isn’t significantly different from any other similar platform.

Also, it’s not complicated to build your own PIX system from reverse engineering the APIs. In fact, it’s quite trivial. The tricky part is to make it scalable.