We continue with our existing theme of articles that provide a range of insights across the BNPL ecosystem. In this edition, we provide an overview on why buy now, pay later (BNPL) services are popular among more than just consumers. They’re also proving to be an extremely attractive target among criminals.
Buy Now, Pay Later is extremely simple, and easy to acquire with minimal identification checks. In fact, it is that simple, that an ideal attack surface for fraudsters has in fact been created.
Jump on Board
As BNPL expands both online and in stores, more and more companies have jumped on board, including card companies, banks, travel companies offering ‘buy now, fly later’, insurers looking to revolutionize payments in the commercial insurance sector, and now credit bureaus - Equifax, Experian and TransUnion are prime examples. However, in the instance of credit bureaus, BNPL data will be used to incorporate BNPL accounts into a consumer’s credit file. This is something that has not been achieved to date as a majority of Buy Now, Pay Later loans are not reported to credit bureaus because current scoring models are designed to predict risk based on payment behaviors of mainstream credit products and have not yet been updated to include BNPL accounts.
We should also bear in mind that an individual consumer may take out multiple BNPL loans over any period. Therefore, incorporating these loans, particularly if paid on time, benefits the consumer by boosting their credit score.
BNPL provides consumers with a variety of payment options that give them a great deal of flexibility and financial freedom. These options can be broadly classified into three payment structures:
Split pay - the payment is divided into installments that are paid over time.
Pay later - the customer delays payment of the entire amount until an agreed repayment date.
Long-term financing - the BNPL provider provides a loan at an agreed interest rate or fee over an extended period.
If you are considering launching a BNPL initiative as part of your payment service offering, a cloud first approach may be the optimal strategy to consider. Launching a new application in the cloud can deliver the speed to market, scalability and flexibility required to meet the requirements and expectations of today’s consumers. To complement a cloud deployment, Payment HSMs as a Service can be used to protect and secure online payment transactions.
When Buy Now, Pay Later Goes Wrong
BNPL services are similar to other digital applications in that attackers use a variety of techniques to manipulate the system - defrauding BNPL services and their customers.
Some of the techniques in operation that are used by attackers are:
BNPL services typically provide a default line of credit to a new account, with lending limits increasing as the account’s age, transaction and payment history increase. Gaining access to a customer’s account to make unauthorized purchases has also risen. This type of fraud can be facilitated by lax identity verification and checkout processes.
Fraudsters can use tools such as known password lists and credential stuffing bots to brute force their way into BNPL accounts before making large purchases on a variety of retail sites by setting up installment loans (that will eventually have to be written off as a loss), or selling established accounts.
Fake account opening
In this instance, fraudsters create fake accounts in order to take advantage of default credit whilst also targeting existing accounts to maximize their profits. This is a common and effective technique and because the victim is not billed immediately for BNPL payments that are due, they may not notice any activity for an extended period.
Lower credit scores may also affect the consumer in the future, as installment plans taken out in their name, which are not being repaid and may have gone unnoticed, appear on the consumer’s credit file.
Whenever networks, devices, applications, and users are connected, their identity must be securely authenticated. Digital certificates are the means through which the many stakeholders in the payment ecosystem establish trust with one another.
Public Key Infrastructure (PKI) is the most powerful tool for authentication enabling trust relationships and secure electronic transfer exchange of information between the involved entities. A scalable and flexible all-in-one PKI solution such as u.trust Identify is a highly recommended solution to deploy and operate a PKI.
Synthetic Identity fraud (SIF)
SIF is one of the fastest growing types of financial crimes and can be complex and extremely difficult to detect. It uses a combination of real and false personal data to create a false ‘hybrid’ identity. For example, a legitimate social security number can be used and then paired with false details for name, address and date of birth. Fraudsters will often target people who do not currently have a viable credit history, for example, babies or children.
When the fraudsters default on payments that become due, this is then likely to be written off as ‘bad debt’ and ultimately reflect negatively on the customer's credit score. Trying to prove that the customer did not make the purchase and it was down to fraudulent activity can be extremely hard to prove.
Stolen credit cards
The majority of BNPL services allow customers to pay off their loans with credit cards. Fraudsters take advantage of this feature and use stolen credit card information to pay their debts. Such transactions result in chargebacks and other expenses incurred by the merchant as a result of the fraud settlement.
BNPL fraud presents a new fraud challenge for banks and merchants - in some cases, it's essentially an instant loan application at the point of sale, with no credit check.
It’s unlikely that BNPL merchants or providers will add checks or additional steps to the current process unless compelled to do so by regulation which is not due to be introduced until late 2022 onwards. At this time, BNPL remains unregulated, which means there is no unified industry-wide protocol to deal with fraud. Therefore, each provider may have its own set of fraud detection and prevention procedures in place, and cases are resolved in accordance with self-imposed policies.
This means that continuous authentication protection for cardholders should be in place across the digital payments journey - enrolling, shopping and paying as well as managing installment transactions. A multi-layered approach to risk management and fraud protection is recommended, an example being Strong Customer Authentication.
With BPNL, fraud rates may rise because merchants may relax their fraud countermeasures in order to complete the sale. Criminals will seek out merchants with weaker fraud protection in order to find the path with the least resistance.
About the author
Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.