Data Security, Industry Regulations

How ‘buy now, pay later’ services present cyber risks for consumers

Industry experts warn the “buy now, pay later” plans may present a new attack vector for cybercriminals. Pictured: A shopper walks past a sale sign on Regent Street on Dec. 27, 2021, in London. (Photo by Hollie Adams/Getty Images)

The concept of using credit has been ingrained in Americans for decades. In fact, in recent years, an alternative to credit cards and short-term personal bank loans has emerged in the online channel: buy now, pay later (BNPL) services.

And in the past year or so, their popularity has drawn the attention of regulators, in the United States and other countries, who see the potential financial and possible cyber risks that these services could pose to consumers. In December 2021, the U.S. federal Consumer Financial Protection Bureau (CFPB) began an inquiry of five so-called BNPL lending services — Affirm, Afterpay, Klarna, PayPal and Zip — as the CFPB expressed concern that such offerings would unduly encourage American consumers in “accumulating debt, regulatory arbitrage, and data harvesting in a consumer credit market already quickly changing with technology,” according to a CFPB release on the inquiry.

Fueled by the pandemic lockdown, which has forced more Americans to buy on the internet, U.S. online shoppers alone spent nearly $21 billion in 2021 using BNPL services — 230% more than the previous year, according to a study by Accenture, commissioned by BNPL provider Afterpay.

“Buy now, pay later is the new version of the old layaway plan, but with modern, faster twists where the consumer gets the product immediately but gets the debt immediately, too,” CFPB Director Rohit Chopra said in the CFPB December 2021 press release.

The agency, tasked with defending U.S. consumers against potential financial risks, pointed out that while “lenders have touted BNPL as a safer alternative to credit card debt, along with its ability to serve consumers with scant or subprime credit histories...the Bureau is concerned about [how these services encourage] accumulating debt, regulatory arbitrage and data harvesting.”

In February 2021, the Financial Conduct Authority, the United Kingdom’s regulatory body, announced that it would begin overseeing BNPL companies and have them submit to “affordability checks” before establishing accounts out of concern that BNPL spurs consumers to spend far more than they should.

Dave Trader, field CISO at Presidio Inc., said that there is definitely a general privacy and data security risk with such services. “The amount of data these [BNPL firms] collect from a user is on par with the amount of data you would provide to an actual regulated institution,” Trader pointed out.

“This means we must be vigilant of where and to whom we provide data. We need to evaluate the reputation of these unregulated environments, especially if we choose to utilize them,” he continued, “and be cognizant that not all environments are created equal, or come with the basic protections as a regulated source would have.”

Moreover, industry experts pointed out that these new online layaway plans also may present a new attack vector for cybercriminals looking to access financial data or hijack legitimate accounts that they could misuse for their own gain.

Industry observers pointed out that, unlike more traditional credit lenders (credit card companies and banks), BNPL services are not required by regulation to carry out credit reviews on their applicants, which allows bad actors to set up fraudulent accounts, (which they would close immediately after receiving their goods and before paying off what they owe) or impersonate legitimate customers all the more easily.

“Regulation seems to be looking at this because the structure of BNPL offers skirts current credit regulations,” said Padraic O’Reilly, co-founder of CyberSaint. “The cyber risks here involve fraud and the tradeoff between the expense of due diligence and the possible exclusion of good candidates for short-term credit. Soft credit checks will likely not prove adequate. But the bigger issue is fraud and digital identity more generally.”

Executives at BNPL provider Klarna are aware of “the fraud and cybersecurity issues that impact the retail and payments industries as a whole,” according to an email from an unnamed Klarna executive, relayed via the company’s public relations. “At Klarna, our customer’s safety and security is our top priority and we work continuously to prevent, identify, and mitigate fraudulent activity.”

The spokesman said that Klarna boasts 200 fraud security experts to monitor more than “180 data points on each transaction, [using] advanced detection technology and sophisticated underwriting to identify potential fraud attempts in real time.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.