Portuguese 
English 
Spanish 
3 min of reading 
3 comments 
Digital Security Experts Explain Why Using CPF or Phone as a Pix Key Increases Risks and How the Random Key Offers Better Protection
Pix has established itself as the most popular payment method in Brazil. Since its launch in November 2020, millions of Brazilians have started using it daily for transfers, payments of purchases, and even commercial collections.
The convenience and the lack of fees have won over consumers and companies, transforming the way money circulates in the country.
However, along with the mass adoption of the system, new security concerns have also arisen. One of the most discussed points by experts is precisely the choice of the Pix key.
-
The institute that trained the greatest aerospace engineers in Brazil has just opened its first campus outside São Paulo after 75 years: ITA Ceará will have R$ 445 million, new courses in energy and systems, and classes are expected to start in 2027.
-
Luciano Hang, owner of Havan, goes to Juiz de Fora after the tragedy in February, brings R$ 1 million, hands out R$ 2,000 cards, and donates up to R$ 15,000 to victims in the region.
-
The Brazilian passport allows legal residence in dozens of countries without the need for a prior visa, and most Brazilians are unaware that they can apply for residency directly upon arriving in nations in South America, Africa, and even Europe.
-
Petrobras sends a message to Brazilian truck drivers after fuel collapse and reveals plan to have 100% domestic diesel.
Although the Central Bank allows the use of CPF, CNPJ, phone, email, or random keys, digital security professionals are categorical: avoid CPF and phone whenever possible.
Why Not Use CPF as a Pix Key
CPF is an extremely sensitive piece of data and functions as a unique identifier for each Brazilian citizen. When someone uses this number as a Pix key, they end up exposing information that should only circulate in very specific situations, such as opening a bank account, filing tax returns, or signing contracts.
The problem is that sharing the CPF as a Pix key increases the chances of falling victim to phishing or social engineering scams.
Criminals can use the information to cross-reference data, open false accounts in the victim’s name, or even commit tax fraud.
Additionally, CPF is already one of the most targeted pieces of data in large data breaches. By using it as a Pix key, the individual adds another layer of exposure in an environment where privacy is increasingly fragile.
The Risks of Using the Phone
The phone, in turn, also represents vulnerability. It is often linked to messaging apps and social media, which opens the door for scams such as the famous “WhatsApp Scams”.
With the number in hand, criminals can impersonate the victim in messages to friends and family, requesting transfers via Pix.
Furthermore, there is the threat of SIM card cloning (SIM swap), where scammers manage to transfer the phone line to another SIM card and begin receiving authentication SMS.
Therefore, using the phone as a Pix key can facilitate criminal approaches and expose the user to risks that go far beyond a simple transfer.
The Safer Alternative: Random Keys
In light of these vulnerabilities, experts emphasize that the random key is the safest option. Generated by the Central Bank system, it has no direct link to personal information.
It consists of a unique sequence of letters and numbers, impossible to deduce or associate with CPF, phone, or email.
By using a random key, the user can receive transfers without exposing any sensitive data.
This is especially recommended for freelancers, small merchants, and individuals who share their keys on social media or promotional materials.
This simple measure drastically reduces the chances of fraud, as it complicates things for scammers. Even if someone discovers the random key, it does not reveal any additional information about the owner’s identity.
Mas até a Receita Federal, na Restituição do Imposto de Renda, pede para informar o CPF como chave Pix, para restituir mais rápido. Estranho né
A informação pra receita federal é no programa da própria receita, portanto ambiente relativamente seguro
A orientação serve principalmente pra quem divulga o PIX nas redes sociais ou em qualquer propaganda.
Não entendi muito bem a matéria. Ao fazermos um cadastro no ambiente virtual de compras é necessário informar: nome, CPF, telefone, email, endereço e etc. Esse ambiente é bem menos seguro que as transferências de valores no sistema bancário. Fica aí portanto a observação, já temos uma ficha quase que completa de dados para que golpes sejam aplicados.