Shahnawaz Backer, Senior Security Advisor at F5 Labs, explains how fraud scenarios can occur in the Buy Now, Pay Later (BNPL) ecosystem
BNPL brings its own risks, which fraudsters can exploit.
The bank has undergone enormous transformations over the past decade as it becomes more and more integrated into the daily lives of consumers. In the past year alone, the adoption of technology in the banking industry has accelerated at an unprecedented rate due to the COVID-19 pandemic. Consumers are increasingly drawn to making financial decisions without having to visit a bank branch or use a banking app. Buy Now, Pay Later (BNPL) represents a transformation in the payments industry and is increasingly adopted.
BNPL empowers consumers by providing them with a line of credit at the point of sale. It eases the pressure on consumers by allowing them to pay over a period of time instead of the full amount up front. The fact that most BNPL service providers do not charge interest if payments are made on time, and that BNPL options are available in both e-commerce and traditional retail scenarios, makes this financial instrument more attractive than other products, such as credit cards, loans or financing programs, which have poor consumer experiences.
The adoption of BNPL services has continued to grow, benefiting both businesses and consumers. The success of BNPL, a blend of technology and business acumen to address a market segment, depends on the fluidity of the user experience with:
- A simple payment experience requiring a few clicks.
- Consistent user experience across all websites.
- No processing fees.
- Instant credit, with no lengthy approval process.
However, the practices that keep the user experience simple and engaging are often the same ones used by attackers to commit fraud and make money. Fraudsters take advantage of existing and modified techniques to attempt to gamble on BNPL’s systems and services.
The biggest online fraud threats to the subscription industry
Mairtin O’Riada, CIO and co-founder of Ravelin, identifies the biggest online fraud threats targeting the subscription industry, and how to mitigate them. Read here
How BNPL Systems Work
BNPL’s services are provided by FinTech companies or banks. Retailers subscribe to these services, offering their consumers an alternative payment mechanism. The payment method is typically triggered at the point of sale in both the digital and physical world. On an e-commerce platform, the consumer is offered BNPL as a payment option after adding items to a shopping cart and validating. If the customer selects BNPL, he is directed to a BNPL provider. After verification of the user, the service provider grants an interest-free line of credit to the consumer. The payment process involves scanning a QR code, using the phone to confirm the transaction, or entering a one-time password sent to the phone.
Fraud techniques in operation
BNPL services are like other digital applications, and attackers use various techniques to trick the system. The banking and financial industry is already familiar with some of the tricks used by attackers, including:
- Account support: BNPL services typically provide a default line of credit to a new account, and loan limits typically increase with account age, transactions, and payment history. Scammers create fake accounts to capitalize on the default credit, but to increase their earnings, they also target existing accounts. Attackers use a combination of techniques, including phishing, credential stuffing, and SIM card cloning, to earn money at someone else’s expense.
- Abuse of the default line of credit for new accounts: Most BNPL systems allow consumers to register simply by providing copies of documents as proof of identity (such as a driver’s license) and / or a current address (such as utility bills). Using similar documents obtained from stolen emails or data breaches, scammers create fake accounts and then use the same simple sign-up terms and introductory line of credit offered to legitimate consumers. In some cases, fraudsters agree with merchants to convert the default line of credit to cash.
- Refunds with a stolen credit card: Most BNPL services allow consumers to pay for their loans by credit card. Fraudsters take advantage of this feature and pay off their debts using stolen credit card information. For the merchant, such transactions result in chargebacks and other expenses for settling the fraud.
The three ingredients of a software solution for digital payment needs
René Pomassl, CEO of Salamantex, identifies three ingredients that a digital payment software solution needs to truly generate value. Read here
Planning a strong defense
To cope with the onslaught of different attack mechanisms used by fraudsters, BNPL service providers must include several preventive and detective security checks. These should include mechanisms to identify the user and their intent. Some of the necessary controls for BNPL systems include:
- User validation during the registration process: Most BNPL systems facilitate the registration process, with the user uploading documents to prove their identity. This process must be foolproof, without adding complexity. BNPL systems should include biometric authentication (i.e., fingerprint, face, or other factors) with vitality checks. It should also include checks for false documents (such as holograms or font mismatches) as part of the registration process to counter the creation of false identities.
- Detection and prevention of account hacks: BNPL services must protect takeovers of valid user accounts. This requires a series of controls that include the detection of automated and manual credential stuffing efforts and the implementation of countermeasures, such as rate limits and time-based account freezes, and collecting and analyzing additional contextual information.
- Protection against the use of stolen credit cards: Implement and apply the 3D Secure protocol for credit cards to improve the prevention of credit card fraud.
- Anomaly detection: Collect the necessary telemetry on user transaction data, including endpoint information, and use machine learning algorithms to detect transactional anomalies such as buyer-seller collusion.
Ultimately, BNPL systems extend the purchasing power of consumers with their large audience and interest-free loans, providing an advantage over other lending instruments used by the financial industry. This payment mechanism is new and adapts to current market dynamics. However, scammers don’t have to stray much from their existing tricks to take advantage of the system. Tricks such as account takeover and new account fraud have altered users’ credit scores with other financial instruments and pose a similar threat to BNPL systems. Regulations for FinTech companies differ by region, but companies should deploy security controls to protect against abuse of the system, including:
- Detect and block the malicious intentions of humans and robots.
- Implement risk-based authentication and authorization systems.
- Develop smart user onboarding processes that incorporate artificial intelligence to eliminate the use of stolen information, such as matching a user selfie with proof of identity.
- Monitoring account and transaction lifecycles for abnormal activities.