BNPL, or buy now, pay later, has been an easy way for retail and e-commerce companies – in many cases those selling collectables or luxury items – to improve their customer conversion rate by spreading out payments without using a credit card. Despite being relatively new, BNPL accounted for 2.1 per cent of global e-commerce transactions in 2021 (nearly $97billion) according to CNBC. Some BNPL companies have even claimed that their service boosts conversion rates by 20 per cent or more. This hasn’t gone unnoticed by fraudsters.
Sam Crowther is an entrepreneur with a passion for cybersecurity. The Kasada founder got his start in the industry as a high school student when he joined the cybersecurity team of the Australian Signals Directorate (ASD). From there, he moved to a red team role at a global investment bank, an experience that inspired him to start his own company. With funding from US and Australian investors, Crowther launched Kasada in 2015 to provide innovative web traffic integrity solutions to companies around the world.
Speaking to The Fintech Times, Crowther explains what can be done to fight fraud in BNPL and describes the indicators of fraud in the sector:
As BNPL grows in popularity, bot operators have started to take notice. They’re constantly on their toes, looking for new ways to exploit the system and make a profit, and now BNPL is suddenly the latest and greatest target for fraudsters. Many see it as a way to “Buy Now, Pay Never.”
Why now? Simply put, it’s lucrative, and many companies’ defenses are lacking. Cybercriminals can easily target both consumers and merchants, leaving the BNPL provider and the banks who back them responsible for payment. This combination puts BNPL in the bot operators’ crosshairs.
BNPL companies need to immediately take steps to address this newfound attention and protect their business, before consumers and retailers lose confidence in the business model.
How bots attack BNPL
To stop bots, it is important to first understand how they can attack BNPL companies and financial institutions.
The login is the most common exploit used by fraudsters, as it allows them to create new consumer or merchant accounts, or to take over existing ones using credential stuffing. Fraudsters either rent premade bots that have already been tested and are known to bypass common defenses, or they create their own using the wealth of information existing online in communities and hacker groups.
With bots readily available and cheap to purchase, fraudsters leverage automation to create new accounts at scale. Using databases of stolen identities purchased on the Dark Web, thousands of attempts are made daily to create fake accounts. When there is an account created that passes verification tasks, the fraudsters are in – and can then move forward with the next phase of their plan.
- Consumer Accounts – Fake consumer accounts are monetised by immediately activating the “buy now” part of the acronym. Once purchased and the goods are sent, these fake accounts refuse to pay the installments, leaving the BNPL providers on the hook for the funds.
In addition, when a working account is discovered, some fraudsters will forgo the goods and sell the verified fake account itself to the highest bidder.
- Merchant Accounts – While consumer fraud is the most common type, successful merchant fraud can give cybercriminals the opportunity to launder fraudulent funds. Creating a fake merchant account can then set off a series of fraudulent activities that include setting up a fake store that either doesn’t exist, or will never fulfill any purchases. Consumers are lured to the fake storefront to make a purchase, using BNPL. The fake merchant is then paid in full by the BNPL organisation before any fraud is discovered. By the time those involved realise the ruse, it’s too late, and the fake merchant – and the money – is long gone.
Account takeover (ATO) attacks are a very common method that cybercriminals use to evade the “pay later” part of BNPL. In this approach, they utilise bots to automate the testing of login credentials against websites until they find one that works. Once in the system, attackers lock actual users out of their own accounts and then proceed to max out their credit limit with purchase after purchase, leaving their unpaid debts to the actual account owner.
Successful ATO attacks give fraudsters a way to make purchases to their fraudulent merchants, basically sending a legitimate user’s funds to an illegitimate merchant that will take the money and run.
Fighting back against bots
It is estimated that some five per cent of all digital payment fraud still gets through payment and anti-fraud solutions. Various verification and security measures have begun to be implemented by BNPL organisations – but it’s clearly not enough. Identifying fraud in your system is different than stopping it from happening in the first place. Once cybercriminals are allowed in your system, all bets are off. You could get lucky and catch their fake account efforts quickly, while also missing the other nefarious actions they took inside your network.
To truly fight back, BNPL organisations should actively work to prevent bots from ever entering their sites. Security should be strengthened at the point of login, as that is where most of the fraud begins. Protecting against bots that can create accounts or take them over will reduce the strain on their systems.
At the same time, investment in another layer of complimentary security will be necessary – such as multi-factor authentication (MFA) or one-time passwords (OTP). Security solutions work best when layered on top of each other – but when it comes to BNPL, there are other considerations to factor in.
For a service that’s supposed to give retailers a way to improve conversion rates and overall sales, anything that makes the process harder or longer can have the effect of driving consumers away.
Preventing points of friction
For example, many security solutions add elements that make the sales process harder, such as a CAPTCHA. These verification tools are overwhelmingly popular, despite the fact that they’ve proven to be easily beaten by fraudsters, and are often ridiculed by consumers. CAPTCHA farms have sprung up to help attackers beat CAPTCHAs for an extremely low price. While CAPTCHAs were meant to help in the fight against bots, they now seem to exist only to add unnecessary friction to the buying process – friction that goes against the very reason that BNPL was created.
Anything added to the checkout process will have the unintended consequence of delaying the purchase, potentially losing the customer for good. It is a tradeoff that works for no one. This is why strengthening security at the point of login is so necessary – as it will prevent these friction-causing elements from ever coming into play.
Striking a balance
BNPL is an innovation with the potential to change the way that people shop forever. It opens up credit to shoppers that may not have immediate access to it, while providing a boost to retailers and e-commerce businesses looking to improve their conversion rates. Unfortunately, fraudsters and bot operators also see the potential that less secured financial transaction sites like these present.
To continue to be successful, BNPL companies need to strike a balance between security and the customer experience. Fraud can quickly destroy confidence in their business model, but so too can implementing delays and roadblocks as a part of the buying experience.
Bot-driven fraud will be a persistent problem for BNPL and other digital financial businesses until they implement strong defenses that stop it at the first sign of an automated threat, without asking consumers to click on every photo that contains a street sign.