Third-party risk

‘Buy now, pay later’ may present potential security risks for FSIs, fintechs

Newly redesigned $100 notes lay in stacks at the Bureau of Engraving and Printing on May 20, 2013, in Washington. (Photo by Mark Wilson/Getty Images)

Financial card issuers are well aware of the fact that U.S. customers love to buy on credit — so much so that the online world has spawned a whole new category of “buy now, pay later" (BNPL) options offered by traditional lenders and financial technology firms alike.

During the on-going pandemic, many retail and business borrowers are using such services to a greater extent, even to make the most basic purchases like groceries, as they struggle with job losses or belt-tightening in the face of the pandemic ripple effect. And, as is typical: where the money goes, cyber-thieves are bound to follow.

“Buy now, pay later represents a transformation in the payments industry and is experiencing rapid adoption,” according to a recent blog post co-authored by Atishay Kumar, former chief technology officer and chief privacy officer for ePayLater, a BNPL service based in India, and Shahnawaz Backer, principal security advisor with F5 Labs.

“However, the practices that keep the user experience simple and engaging are often the same ones attackers use to commit fraud and make money,” they continued. “Fraudsters take advantage of existing and modified techniques to try to game the BNPL systems and services.”

The BNPL trend hasn’t escaped the notice of both large U.S. and foreign banks, including Regions Bank, Citizens Bank and Banco Popular, which have launched their own, proprietary BNPL programs. Also getting in on BNPL are traditional FSI service providers and emerging financial tech upstarts, which offer a wide variety of branded and white-label digital installment loans to their customers and prospects directly or through retailers at the point of sale. In late September, Mastercard launched its own BNPL offering.

The list of fintechs already crowding this space includes Afterpay, Affirm, Clearpay, Laybuy, Klarna, Sezzle and Zip; meanwhile technology titans including Amazon and Apple are either creating their own customized BNPL offering, or partnering and acquiring to enter this space. Many of the BNPL developers are even creating browser extensions, to make the entire process of buying digitally on credit even easier. Indeed, Sweden-based Klarna announced on Nov. 2 a deal to buy U.K. PriceRunner, an online price comparison service, to expand its BNPL reach and capabilities.

In fact, 44% of Americans say they have already used BNPL services, according to a recent survey from Credit Karma. And, according to a separate study from LendingTree, that jumps to nearly 1 in 6 Generation Z digital buyers (59%) who have opted to use this payment type.

But in the haste to beat financial industry rivals or emerging upstarts to offer these point-of-sale instant installment loans to credit-craving digital commerce customers, cybersecurity experts like Backer at F5 counseled that existing and would-be BNPL purveyors must consider the potential fraud and attack scenarios that are emerging here — and take steps to mitigate the risks. Like many variants of financial fraud, Backer and Kumar pointed out that the most common techniques for hacking or defrauding a BNPL system are similar to what FSIs and their third-party providers have seen in other areas, namely account takeover, identity fraud and repaying these loans via hijacked bank accounts or other stolen payment credentials.

Since BNPL services usually provide a default line of credit to a new account — since the loans are typically made instantly at the point-of-sale — and the lending limits usually increase with account age, transactions, and payment history, Kumar and Backer pointed out that "fraudsters create fake accounts to capitalize on default credit.” Further, crooks can boost their take by also target existing legitimate accounts.

“Attackers use a combination of techniques, including phishing, credential stuffing, and SIM card cloning, to make money at someone else’s expense,” they added.

In the end, providing stout cybersecurity for this fast-growing segment of payments will largely be the product of FSIs, fintechs and third parties sticking to their (security) knitting by taking steps like adding two-factor authentication through biometrics or fake-document checks at signup, as well as using automated and manual methods for weeding out credential stuffing.

Kumar and Backer also suggested BNPL lenders implement “countermeasures, such as rate limits and time-based account freezes ... and collect and analyze additional contextual information, such as user device, location, and time of day, and using that in conjunction with other authentication factors.”

“This payment mechanism is novel and suits the current market dynamics, however, fraudsters do not need to pivot much from their existing tricks to gain from the system,” Kumar and Backer concluded. “Tricks such as account takeover and new account fraud have spoiled user credit ratings with other financial instruments and pose a similar threat to BNPL systems.”

prestitial ad