Car Wash leaks raise concern for cybersecurity in Brazil

. Jun 15, 2019

For the past week, news website The Intercept has been publishing private messages exchanged by Operation Car Wash prosecutors and Sergio Moro—who was the judge responsible for trying most of the cases related to the investigation until last year, when he accepted Jair Bolsonaro’s invitation to become Brazil’s Justice minister.

The conversations cast doubt over the operation’s legitimacy as a whole, with Mr. Moro appearing to have clearly acted illegally in coaching prosecutors on how to handle evidence and deal with defendants. In the most recent round of leaks, Mr. Moro appears asking prosecutors to issue official statements responding to former President Lula’s remarks during a deposition, in a way to counter “the defense’s little show.”

</span></p> <p><span style="font-weight: 400;">Leaving the scandal&#8217;s implications on corruption investigations aside (if you want more details on the case, and its </span><a href=""><span style="font-weight: 400;">possible implications</span></a><span style="font-weight: 400;">, click </span><a href=""><span style="font-weight: 400;">here</span></a><span style="font-weight: 400;">. Or </span><a href=""><span style="font-weight: 400;">here</span></a><span style="font-weight: 400;">, if you want to listen to our </span><a href=""><span style="font-weight: 400;">chat with </span><i><span style="font-weight: 400;">The Intercept</span></i><span style="font-weight: 400;">&#8216;s managing editor</span></a><span style="font-weight: 400;">, Andrew Fishman), the case revealed how Brazilians tend to overlook online security issues.</span></p> <p><span style="font-weight: 400;">This week, though, encryption became a big topic in Brazil.</span></p> <p><span style="font-weight: 400;">The people involved in the case have rushed to blame a hacker—or hackers—for the data breach (even if no information about the source for the reports were confirmed to this moment). The security of Telegram, the Russian messaging app used for the conversations, was called into question. The company responded to these concerns by publishing an article, available in both Portuguese and English, explaining how their security system works. </span></p> <p><a href=""><img class="alignnone size-full wp-image-19271" src="" alt="encryption telegram" width="962" height="1196" srcset=" 962w, 241w, 768w, 824w, 610w" sizes="(max-width: 962px) 100vw, 962px" /></a></p> <p><span style="font-weight: 400;">Telegram also mockingly issued a challenge to edit a Twitter post protected by two-step verification, stating that anyone who can break the system “shouldn&#8217;t have problems posting a new GIF.” </span></p> <h2>Two-step verification</h2> <p><span style="font-weight: 400;">Two-step verification is a security measure used to authenticate identity. It is based on the principle that requiring two pieces of information reduces the risk of an unknown hacker entering an account. The first piece of information is usually a password and the second can range from a security question to a specially generated link. </span></p> <p><span style="font-weight: 400;">Some websites will ask users to input a code that is sent to their phones. In Brazil, </span><a href=""><span style="font-weight: 400;">SMS texting</span></a><span style="font-weight: 400;"> rates reached the most costly in the world, so companies often offer verification via WhatsApp Messenger. </span></p> <p><span style="font-weight: 400;">Hackers regularly use </span><a href=""><span style="font-weight: 400;">phishing attacks</span></a><span style="font-weight: 400;"> to glean information from users. These scammers claim to be reputable businesses in order to elicit personal data from individuals. These schemes can be quite elaborate, with some hackers going as far as making fake websites to trick users into submitting information.</span></p> <p><span style="font-weight: 400;">More and more of these attacks happen over social media or messaging platforms, rather than emails. Unsolicited messages are usually signs of a hacking attempt. </span></p> <p><span style="font-weight: 400;">Brazil has one of the highest rates of phishing attacks in the world, coming second only to Guatemala, according to antivirus producer Kaspersky. In January 2018 alone, 2.5 million Brazilians were victims of this kind of attack. Users seeking to stay safe should avoid clicking unsolicited links. Typing the desired URL directly into the search bar is one way to avoid attacks. </span></p> <p><span style="font-weight: 400;">Even if a hacker receives information via phishing, two-step verification means they would need both a password and a phone number to access an account. Activating two-step verification on all platforms reduces the access of a cybercriminal who has gotten hold of a password. </span></p> <h2>Protecting business data through encryption</h2> <p><span style="font-weight: 400;">According to a survey by Serasa Experian, a data analysis and credit reporting company, only 40 percent of Brazilian websites are SSL certified. The Social Security Locker (SSL) protocol prevents sites from being vulnerable to hackers. Small businesses often neglect to invest in cybersecurity, and they are the victims of over half of online attacks.</span></p> <hr /> <p><img class="alignnone size-full wp-image-19272" src="" alt="encryption telegram" width="1200" height="528" srcset=" 1200w, 300w, 768w, 1024w, 610w" sizes="(max-width: 1200px) 100vw, 1200px" /></p> <hr /> <p><span style="font-weight: 400;">Businesses that do not set up proper precautions put their content and customer information at risk. Best practices for cybersecurity include using a firewall, regularly changing passwords, and backing up all data. </span></p> <p><span style="font-weight: 400;">Earlier this year, Brazilian hackers broke into Cartoon Network’s streaming platform. The company had to temporarily shut down the site in 15 countries, costing them an estimated USD 1.7 million in revenue. </span></p> <p><span style="font-weight: 400;">Even government-owned systems and websites have proven to be, time and time again, unsafe. As we showed in our </span><a href=""><span style="font-weight: 400;">July 15 newsletter</span></a><span style="font-weight: 400;">, hackers staged massive attacks against government agencies and municipal administrations in 2011. Over 200 official websites were invaded—and official data was stolen.</span></p> <h2>Criminal evidence?</h2> <p><span style="font-weight: 400;">In Brazil, unauthorized access to phones, tablets, and computers is a crime punishable by up to one year in jail. Whether information obtained through illegal means can nullify past decisions is a subject up for debate. </span></p> <p><span style="font-weight: 400;">In the case of Mr. Moro, the leaks could provide enough evidence of collusion to reopen some Operation Car Wash-related cases—not least the case that resulted in the imprisonment of former President Luiz Inácio Lula da Silva.

Juliana Costa

Juliana is a growth strategist and contributor to The Brazilian Report

Our content is protected by copyright. Want to republish The Brazilian Report? Email us at