Buy Now Pay Later (BNPL) schemes might make life easier for shoppers lacking ready money – but they also represent juicy pickings for scheming cybercriminals, say analysts.
Though some might say an upfront line of interest-free credit to pay for goods one bite-sized chunk at a time represents consumer heaven, there is growing evidence that online crooks are using BNPL to take a big bite of their own. In part, this is thought to be because lax security practices that make it easy to sign up are also making life easier for fraudsters.
Threat actors are hacking into legitimate customer accounts using techniques such as phishing attacks and SIM card cloning, as well as setting up fake accounts with stolen copies of passports and other forms of identification.
“Through access to personal information obtained on the Dark Web such as fake credit cards and compromised email credentials, bad actors are able to commit account takeover attacks as well as sign up for fake BNPL accounts to make illegitimate purchases without ever having to pay for the item,” a spokesman for fraud prevention body Sift told Cybernews.
Sift added that there had been an 850% increase in account takeovers against the fintech sector between 2020 and 2021 – meaning cases had risen to nearly ten times their previous number over a twelve-month period, in what the fraud body described as a “cyclone pace” of escalating mass attacks.
In some cases, fraudsters even collude with retail merchants to illegally cash in on default credit lines. But in other instances, vendors are victims when they are hit with chargebacks from credit card companies who insist they make good on debts racked up by fraudsters.
A fraud epidemic
Moreover, it is thought the upswing in remote transactions caused by COVID-related lockdowns has further fuelled fraudulent activities over the past two years.
“Today’s cybercriminals are unrelenting and have greatly taken advantage of consumers and businesses throughout the pandemic,” said Joe Burton, head of communications security firm TeleSign.
Nearly nine-tenths of consumers had fallen foul of credit card fraud, identity theft, or a data breach, with nearly half of companies experiencing customer fraud, cybercrime, or asset misappropriation.
“BNPL companies and their customers are specifically at risk, so they need to implement advanced technology that protects consumers,” said Burton.
Don’t take shortcuts, BNPL firms warned
Urging BNPL providers not to stint on security for the sake of attracting more customers through ease of access, he advised them to adopt phone number verification technology and risk-factor assessment to confirm identities when assessing potential clients.
Two- or multi-factor authentication systems involving biometric data validation systems such as fingerprint or facial recognition would “further thwart would-be fraudsters,” Burton added, as would setting a limit on login attempts and requiring complex passwords.
Sift said the upsurge in BNPL crimes was confirmed by activity on fraud forums accessed via secure messaging apps such as Telegram, with threat actors posting “unlimited access” to accounts held with top loan providers for just $35.
Cybernews reached out to publicly listed BNPL company Laybuy to ask what measures it had taken to combat the growing threat of fraud, but it declined to comment, citing security concerns.
More from Cybernews:
Subscribe to our newsletter