Comment by rbanffy
2 months ago
This attack was not against the Pix system itself but the systems provided by C&M, and was attributed to an employee infiltrating said system. While the attack used the Pix service to move funds, Pix worked as expected. There is nothing it can do with incoming valid but fraudulent transactions.
> While the attack used the Pix service to move funds, Pix worked as expected.
That is not the case, as it appears the attackers were able to use the Pix protocol to transfer funds from accounts not controlled by the attackers.
> There is nothing it can do with incoming valid but fraudulent transactions.
Well, we don't yet know the actual mechanism, but that is the opacity we're talking about.
It's certainly not impossible to ameliorate insider risk and it's definitely not a given that a single set of compromised developer credentials should be able to enact widespread fraudulent transactions across many banks.