BNPL fraud: Avoiding buy now, pay never
By Gergo Varga, Product Evangelist at SEON
Mention of a BNPL model – Buy Now, Pay Later – within the ecommerce space will inevitably result in a flurry of statistics and snippets of fintech news.
“Did you know that by 2025 BNPL spending will reach $1 trillion?” says one.
“Apple Pay Later will roll out this month!” says another.
Then everyone basks in the glow of a burgeoning new financial product for a moment, before a real party pooper mentions, “but have you considered that between now and 2025, perhaps $206 billion will be lost to fraud?”
Now everyone is angry. But the party was pooped justifiably.
The risks of BNPL
Even with the increasingly concerned government regulation of BNPL, it is a payment model that has inherent vulnerabilities which make it a prime target for fraud. Consider that in a Buy Now, Pay Later ecosystem, the customer journey is essentially the same as a “normal” shopping experience until the point of checkout, when they choose to pay in regular installments through a third-party provider like Klarna or Afterpay. The difference, however, is that the customer would normally pay the full price upfront, triggering the delivery of their purchase, and throughout that process would be subject to some form of mandated SCA check, either in the form of multi-factor authentication or a liveness check by phone or selfie.
Currently, while world governments scrutinize and deliberate over the best time and place to step in, there is no hard regulation that requires BNPL systems to play in the same secure sandbox.
This situation provides a literal wealth of opportunities for fraud. Within this space where regulation is still an approaching dot on the horizon, fraudsters know there is time to exploit weaknesses that are naturally occurring in the BNPL model. Weaknesses like, for example, the lengthened attack surface of the payment process, the need for a low-friction environment with only “soft” authentication checks, and the general newness of the product for both regulators and security teams.
Though the BNPL ecosystem is new, the ways in which bad actors will take advantage of vulnerabilities are old. Before diving into meaningful preventative strategies to prevent BNPL fraud, it’s paramount to understand how fraud and BNPL’s natural weak points interface.
The slippery slope of BNPL security
Synthetic identity fraud is one of the most common forms of ecommerce fraud, period, and is easier to get away with in a BNPL environment. As these attacks are very often automated in a kind of scattergun approach, with fraudsters throwing dozens or hundreds of bots against a gateway until one works, they can typically be mitigated by simple liveness checks via phone or selfie.
However, in a BNPL system, companies are highly aware of two things: Friction in BNPL leads to lowered ROI, and international mandates are currently not requiring hard KYC checks within BNPL.
Consider that, for BNPL providers, their financial product is essentially a way to avoid the friction of not being able to afford a purchase. Not enough money this month? Don’t worry about it! Pay for it later, it says. Even the amount of time it takes to confirm liveness via a selfie is enough for some customers to consider: “Should I really be making this purchase?”
A recent study by Statista found that the shopping cart abandonment rate was nearly 80 percent last year, and for verticals that BNPL is fond of, like accessible fashion, it was as high as 88 percent – a lost value of $4.6 trillion across all ecommerce. Market research shows that for many of those customers, small moments of friction like forced account registration, overlong required legal text, and miscalculated currency conversions contribute to this staggeringly high number. A BNPL payment solution seems to address these pain points specifically, allowing customers to enjoy a low-legislation, low-friction sign-up process where payment woes are significantly diminished. It’s not hard to imagine that a BNPL company, when the possibility to recoup some of that 88 percent is presented, is prepared to do away with simple and effective fraud prevention techniques like biometric liveness checks with $4.6 trillion dollar signs in their eyes.
Low friction, high risk
Other BNPL risks include account takeovers, where fraudsters gain access to a BNPL account in order to exploit it, either mining it for data or making unauthorized purchases. This is usually achieved by some sort of credential stuffing, where bots are programmed to rapidly attempt to push stolen credit card or ID credentials through a gateway until one works.
Fraudsters can also bait-and-switch an account by opening a new account in the low-legislation space. This can lead to particularly dangerous situations where a fraudster can register in the low-scrutiny BNPL system, make an initial purchase through the BNPL provider, then switch to a stolen credit card when already inside the system. Without real-time monitoring behind the scenes, it’s extremely unlikely that such a volatile account will be noticed until the chargebacks start coming in.
This extended time period is emblematic of the BNPL model’s much-extended attack surface for potential malicious users. A victim of account takeover fraud might not be aware they were hacked until the second scheduled charge arrives in their inbox, which could potentially be weeks after the hack. By the time they report it and request a chargeback, the criminal is probably long gone, digitally speaking.
In a traditional transaction, the entire customer interaction could be scrutinized by a fraud prevention program, from onboarding to checkout, to look for anomalies. In BNPL, the extended nature of the payment process provides much more time for a fraudster to slip away into anonymity.
Notably, these common forms of fraud would be easily mitigated in another payment ecosystem that required more stringent financial checks, including liveness and biometrics, but most BNPL providers would still prefer not to implement them in the name of a frictionless checkout process.
Minimizing loss in BNPL
The result of this slippery slope — kept intentionally slippery in the name of profit yield — is the need for specialized fraud mitigation solutions. In the absence of working government mandates, financial bodies worldwide have strongly encouraged BNPLs to vet their customers and merchants more aggressively, with the aid of fraud detection tools. Tools that run effectively under the hood, with minimal added friction.
To narrow the vulnerabilities in the BNPL system, a successfully deployed fraud solution will have risk-assessing capabilities like real-time data enrichment with multiple data touchpoints. By taking the details submitted on registration like email, phone, and IP addresses, then gathering publicly available OSINT data on them, a complete profile of a user can be created. This profile can then be scrutinized for potentially fraudulent markers, like a complete lack of social media, allowing a risk decision to be made with as much confidence as a liveness check. If the scrutiny comes back with a suspicious risk score, hard biometrics checks can be thrown up in the face of a high-risk user.
As well, frictionless fraud detection should leverage machine learning software for pattern recognition aimed at spotting transactions that have suspiciously automated behavior. As fraudsters will generally be working at scale, perhaps trying to pressure hundreds of accounts or profiles through security at once, patterns in their behavior can be spotted by well-updated blackbox or whitebox ML algorithms that would be overseen by a human fraud team for manual checks.
With huge companies like NatWest and Apple diversifying their financial services into BNPL, both the application and exploitation of the model will continue to evolve. The financial regulators of the world are now drawing lines, minimizing a potential debt bubble resulting from BNPL overindulgence. This means it is overwhelmingly likely that there will be a little more positive friction in many BNPL customer journeys. While a liveness check via selfie might always contribute to a high cart abandonment rate, this does not mean your company shouldn’t be preparing to be proactive about BNPL fraud. Rather than mourn your ROI in the face of new government BNPL mandates, implement an under-the-hood solution to shake the fraudsters out of your tree. These fraudsters don’t care about financial regulation, so there isn’t really any reason to provide them with a frictionless journey to successful cybercrime.
About the author
Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as Product Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.