Digital Lending - Fraud Now Pay Later

Today, identity has become the number one threat vector for how fraud occurs. How people steal your money. Today I'm here to talk about buy now pay later services and how scammers exploit these systems.

For those of us who may not know, can I give a little background on what these services are and how they differ from traditional credit cards? If you shop online, we are familiar with checking and then providing credit card numbers to the merchant. Now there are these new Buy Now Pay Later methods where they basically say things like, “Hey, pay for this transaction in three easy payments,” so they break the payments up into easy installments.

We are seeing either new types of payday companies and many more offering this kind of repayment schedule. You may get offers from your credit card company: “Pay it in easy installments.” That's buy now, pay later. What's really tempting for fraudsters is that there is a whole new attack pattern that allows you to steal your money. When you pay for a purchase now, there is a later transaction, and that may be a little different than your traditional credit card, when you use that credit card online, you've already established a relationship with your bank, extended the line of credit, and given you the credit card. Many of them are buy now pay later where you can open an account with them when you buy something.

If you're buying something online and you choose one of these Buy Now Pay Later options, you're actually signing up, you're basically creating that account when you pay. What the scammers are doing is rather than exploiting the payment scam, they are actually exploiting the account registration part of it. In other words, setting up this account with a Buy Now, Pay Later retailer or even a credit card provider. They can steal your identity and set up an account in your name, but the goods or services delivered to them. In fact, it just adds another risk factor to how crooks can steal your stuff. Again, rather than stealing your credit card numbers, which is an account set up with your bank, they may try to steal your identity by opening an account with one of these Buy Now, Pay Later options and complete the transaction, have the item shipped to you.

That's what makes it so tempting for fraudsters, it's a new vulnerability in the payment method. The ways in which credit cards have been protected have been refined for years, learning from fraudulent attacks on similar things. With these new methods, fraudsters spent time looking for weak spots in the new processes, where the vulnerability is. This is your first time going through this, it's not that safe. As we learn from the way fraudsters use these new methods, we can then put controls in place to protect.

What security controls are required for these services?

In many cases, the established credit card companies that you do business with regularly use some traditional payment methods. In other words, they can send the payment through the so-called 3D secure protocol. The 3D secure protocol, especially version 2.0, is a relatively recent protocol in the world of card transactions.

To open an account with Buy Now, Pay Later or a financial institution to make a payment that you provide, "Here's my name, here's my Aadhar number, potentially, here's my information," they can set up a line of credit for that account. Run a credit check and find out, "Do we even offer you a Buy Now, Pay Later payment extension?" That's where the new identity controls have to come into play, and that's where we see the widest spectrum of controls outside of their security controls.

How secure is this identity check to make sure it's really you. In other words, why couldn't someone else simply go to the e-commerce site and claim to have the same identity, say they would like to purchase this product in three easy installments, steal my identity, get credit, and then complete the transaction? It's the sets of identity controls that we're really seeing in the broader spectrum of how they're ready for initial enrollment or what we call identity security checks.

So in order to provide assurance to borrowers, it is necessary for these businesses to provide assurance of identity control that this is not a bot that is committing fraud. In the buy now pay later game, identity theft and account registration fraud are the main attack vectors for these new convenient payment methods.