The recent discovery by Amsterdam-based cybersecurity firm ThreatFabric that criminals are using Android banking trojans to exploit vulnerabilities in BNPL apps to make fraudulent purchases is a clear indication that more needs to be done to curb the rising fraud threat in the buy now, pay later space.
And for those who have argued that unregulated digital lenders, which have risen to prominence in recent years, need to be regulated, such threats only validate their concerns.
Once such crusader, ThreatFabric CEO Han Sahin, tells PYMNTS that a lack of sufficient regulatory oversight in the sector is largely to blame, and in the absence of that, BNPL providers have failed to learn important lessons from the banking sector which has been fighting these kinds of cyber threats for years.
Sahin said that he and others in the industry expected fraudsters to start targeting BNPL apps sooner rather than later, “but the fact that we cannot learn from previous mistakes [is a problem], especially in cybersecurity. It should be part of the design of any type of product or loan or payment system.”
Read more: PYMNTS Intelligence: Exploring Buy Now, Pay Later’s Popularity and Digital Fraud Prevention Tactics
Although partly blaming the lack of built-in fraud controls in BNPL apps, the same way that banks and other lenders are forced to by law, he added that “it’s not only the technology that is missing to get visibility on fraud.”
That said, companies must be willing to act fast to nip the problem in the bud. For example, when ThreatFabric’s team first discovered compromised user credentials, its first move was to alert the affected BNPL providers, including Australian BNPL giant Zip. But despite being warned that their users were at risk, Sahin said that the BNPL firms they contacted didn’t respond for months.
Read also: As BNPL Grows, So Does Threat of Fraud
That experience reminded him of the way banks acted 20 years ago, he added, at a time when they were woefully unprepared to deal with cyber threats and didn’t have the resources or experience to fight online fraud.
Fast forward to today, governments around the world are moving to regulate the BNPL sector, but Sahin said the pace of regulation is too little too late. And because legislators have been playing catch up, anti-fraud measures that could have been built into BNPL apps from the start never were.
Related: UK BNPL Regulation Unlikely Before Mid-2023
A ‘Beautiful’ Money Laundering System
According to Sahin, the biggest weakness in many BNPL solutions is in their less-than-secure identification systems, which are being duped by fraudsters during both the onboarding and the purchasing stages. The result? “A beautiful money laundering system,” he said.
It’s not that the technology isn’t out there to enforce strong customer authentication, he added. A whole industry has grown up around helping banks and payment service providers comply with know-your-customer (KYC) and anti-money laundering (AML) laws.
However, the problem, as Sahin put it, is that in the rush to acquire as many users as quickly as possible, some BNPL providers have sacrificed security for ever-more frictionless onboarding and payment flows.
See also: As BNPL Takes Off, Fraudsters Step Up ‘Collusion Fraud’
In fact, many existing BNPL authentication protocols just aren’t enough to protect against fraud in the context of “a pandemic of data breaches,” he said, pointing to easily accessible personal identifiers such as a passport photo and a password that hackers target when they break into secure databases.
Some Necessary Friction
Sahin expected that live facial recognition and fingerprint-based biometrics will gain traction and are likely to become mandatory in the future.
And while banks and merchants, who often have a knee-jerk reaction against any additional authentication process perceived to introduce friction in the customer journey, might be reluctant to implement these technologies, Sahin said there are instances, such as when buying high-value goods, when additional authentication steps — what some have referred to as ‘positive friction’ — are necessary to verify the identity of users.
Learn more: Dutch Payments Association GM Says ‘Positive Friction’ Will Protect BNPL Users
Moreover, many people already use their fingerprint or facial recognition to unlock their phones, which means that for mobile commerce at least, additional identity verification doesn’t necessarily have to mean extra steps in the payment process.
On the back end, behavioral analytics can also help to ensure continuous identification without interrupting checkout flows — a measure that most banks have already deployed.
Learn more: PYMNTS Intelligence: Deploying Behavioral Analytics to Smooth Friction Points in the Customer Journey
For example, factors such as the angle with which someone holds their phone and the speed at which they type are now being used to decide whether an additional authentication step is required. But to create a safer environment for consumers, these technologies need to be implemented across the whole ecosystem, Sahin said.
For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More