I found the explanation of Boletos a bit confusing. I think I've finally figured it out. Here's how I think a transaction works when you pay by Boletos. I'll do this for an online merchant, but it works for in-person transactions too.<p>1. When you check out and elect to pay by Boletos, you are given a document to print. (For an in-person transaction at a store, the store would print the document). The document contains information that describes the debt you owe for your purchase. In particular, it has the merchant's bank account number, the amount you owe, the due date, and presumably an order number or something that will let the merchant know later which particular sale this document is describing. This document is the Boletos. Although it is typically printed, you only actually need the long number printed at the top or the barcode at the bottom (which encodes that number).<p>2. You have several ways to actually pay the merchant.<p>• You can go to your bank's online banking site, and show them the Boletos (perhaps by scanning the bar code if you are using their app, which commonly includes a barcode scanner for this purpose, or by entering the number from the Boletos). Your bank then transfers the money to the merchant along with the necessary information to allow the merchant to match this up with your order.<p>• You can go to an ATM and scan the Boletos. Your bank pays the merchant.<p>• You can go the post office, a lottery agent, or some supermarkets, and pay there. They collect the money from you, and send it to the merchant.<p>Fees go up each day after a Boletos is issued, so there is encouragement to pay a Boletos quickly. If you miss the due date, you can still pay but only at a branch of the merchant's bank.<p>It seems like an interesting system--something kind of between cash and checks. If used for buying online, the merchant never has any of your payment information such as a credit card number or debit card number. On the other hand, there are none of the protections that a credit card provides. Once you pay a Boletos, the money is gone. If you want it back, you have to convince the merchant to return it.<p>The attacks mentioned in the article mostly consist of interfering with the printing of Boletos. You go to an online site and order something. The site generates a Boletos for you to print. Malware running in your browser modifies this to substitute the bad guy's account, and you then go off and pay the bad guy instead of paying the merchant. The bad guys are getting the malware in by various tricks, including hacking into people's DSL modems and changing them to use compromised DNS servers so they can hijack attempted visits to popular sites.<p>Even people who never go online are being hit, because the bad guys have also compromised the POS systems in brick-and-mortar stores, so even those can print misdirected Boletos.