By Sam Crowther, CEO and founder, Kasada
BNPL, or Buy Now, Pay Later, crashed the retail scene with a dual mission of making it easier for consumers to afford desired goods without a traditional credit card and helping online retailers improve their conversion rates. The approach was tremendously popular. Last year it accounted for some $97 billion of global e-commerce transactions, and many BNPL companies claim they have improved conversion rates by at least 20 percent. To say the approach found a niche in the market and succeeded would be an understatement.
But with great success comes increased notoriety—especially when it comes to fraudsters and cybercriminals. Anywhere money is being made online attracts the darker parts of the Internet, as bad actors look for ways to exploit a system and make a quick buck. BNPL companies almost immediately had targets on their backs.
Why the quick targeting by fraudsters? Since BNPL companies are new to the fintech space, their cybersecurity posture is likely less mature than those of established financial institutions such as banks. This makes BNPL providers a prime target for fraudsters, who understand those firms don’t have as many resources, precautions, or tools in place to address incidents.
BNPL companies need to take immediate steps to address this newfound attention and protect their business model before consumers, investors, and retailers leave them behind.
Methods of Attack
Fraudsters use automation to conduct credential stuffing and credential cracking attacks that test thousands of potential login combinations at once. The result of these attacks is account fraud, taking the shape of account takeover and fake account creation for payment fraud and money laundering activities.
When fraudsters commit account takeover, they look to find a login that works and is connected to a real, active human consumer account. Once they gain ownership of the account, they can use it to purchase as much as possible—and stick the actual account holder with the bill. A “buy now, pay never” situation.
Fake account creation is purchasing stolen consumer identities and then using them to create fake accounts that can be used to exploit a BNPL provider from either the retailer account or the consumer account side.
Those fraudsters looking to create fake consumer accounts do so either to resell those confirmed, working user accounts on the Dark Web, or to purchase as many goods as possible, buying now without any intention of paying later. The BNPL provider, which fronts the payment to the retailer, is then stuck footing the bill for fraud.
With a fake account, fraudsters can set up a fraudulent retail store so they can collect money from BNPL sales without ever shipping goods. The retailer gets the blame, the consumer loses money and never gets any goods, while the fraudster disappears. This can affect how consumers see a brand, even though it wasn’t directly their fault, and can also put retailers in a tough position where they either need to accept the brand hit, or accept the financial hit by offering a refund or the goods to be sent free-of-charge. Truly a lose-lose situation.
Stopping BNPL Fraud
Progressive BNPL companies and retailers have already started to address these problems, but many available solutions are either not going far enough, or are interrupting the purchasing process for consumers.
Authentication, verification, and one-time passwords are a step in the right direction. Layering security protections, one over the other, is always a positive approach. That said, these solutions do not prevent the issue at hand, and only make it slightly tougher for fraudsters and bots to work around.
Another solution that’s being used are CAPTCHAs, which have proven to be ineffective and disruptive to the consumer. No one likes having their purchase delayed so they can count the number of stop signs or bridges in a photo. The negative effects of CAPTCHAs are well-known, as are their ability to be worked around by a fraudster. If the BNPL business model is to improve conversion rates for retailers, adding CAPTCHAs to the mix can quickly eliminate that benefit.
In order to truly prevent these accounts from being created or stolen, BNPL providers need to strengthen security at the login point to lock out any automation. Detect and prevent malicious automation before it can enter your site. If bots aren’t able to even enter a BNPL site in the first place, then security—and retailer conversion rates—will be improved.
Protecting the Model
BNPL is an innovative and transformative way to shop that opens up credit to shoppers who may not have access to it, while providing a boost to retailers. The unintended consequence of their popularity, however, is that fraudsters are attracted to these new, potentially less secure ways of shopping and making payments.
The onus of solving this problem lies on the retailers and BNPL providers. Systems that detect malicious automation without putting the onus on consumers are necessary. There has to be a give-and-take between making it easy to purchase and preventing fraudsters and bots from having their way with your site. It’s not an easy balance to strike, but it’s one that has to be achieved in order to prevent fraud from driving customers away.
