Buy Now Pay Less Or… Don’t Pay
How criminals can profit from shared liability
How criminals can profit from shared liability
BNPL (Buy Now Pay Later) is a type of short-term financing allowing consumers to make purchases and pay at a later date (often interest-free). It’s been one of the great financial technology (‘fintech’) success stories of the last decade. BNPL loans have soared in the last couple of years as consumers take advantage of the promise of getting goods for a limited upfront payment. 24 percent of Europeans now use BNPL at online checkout. But BNPL is now preoccupying regulators as rising interest rates and concerns over bad debts have caused the value of key BNPL players like Sweden’s Klarna to crash. BNPL has added convenience for consumers, but it’s also been put to questionable uses. In a recently publicised case, a US-based BNPL provider called Credova offered no-interest loans to buy guns and ammunition under the marketing slogan ‘shoot now, pay later’.
And there’s another thing to worry about when it comes to BNPL. Below I will show how simple it is to use stolen identities to take money from any merchant that supports BNPL companies as a payment mechanism. Fraudsters are never slow to jump on a new tech trend, and at this point, several well-documented fraud schemes against BNPL either use stolen card details or delay payments to the merchant. After my previous work in synthetic identities and card fraud, I looked at how criminals could utilise security gaps to steal money from BNPL providers. And I was shocked by how little effort is required to amplify synthetic identity fraud and bring lucrative criminal schemes to the next level.
Step 1. Issuing a card using a fake identity
For the BNPL provider I chose, the registration process starts with adding an existing credit card. I was not going to use someone else’s stolen card, as this is infeasible for many BNPL providers, including the one I picked. Most European payment services now require proper 3D-Secure verification (sending a one-time code to a separate device) when you do operations with the card. This set-up is now mandatory due to a regulation we wrote about last year. But adding a real card to the BNPL app as a source of funds will leave unnecessary trails that could eventually lead to criminals. But what if there could be a way to create a MasterCard card with no trail to the real identity? Would criminals be happy to use that advantage against BNPL providers?
So instead of using one of my cards, I issued a new Samsung Pay+ card without any formal verification using my friend’s name. Because of the gaps in Samsung’s customer due diligence and “Know Your Customer” (KYC) processes, it was concerningly easy. I still need to add a valid card as a source of funds for the Samsung Pay+ card. This time I will add my real card to Samsung Pay+, and we will come back to that later. The scheme of my simulation might look a bit complex:
Step 2. BNPL registration using just issued card
If Facebook were to offer you a BNPL scheme, it would likely know everything about you: your salary, your outgoings, even when you are likely to die (and default on the payment). But the BNPL provider I picked didn't have such information about me. Instead, the provider just asks for a valid card to ensure that the customer is genuine. To keep its customer retention levels high, it won't carry out proper KYC checks either, meaning no proof of address or proof of identity is required. So, if I were a criminal, I’d buy a fresh SIM card and use the same approach as in my previous Samsung Pay+ article, picking information about some existing individuals from one of the public UK databases.
It’s the easiest way to get a correct name-address match. If a criminal could discover the date of birth of a potential victim, that would bring him to the desired card enrolled on a fake name. At this point, you may ask: surely you can’t just look up someone’s name and address in a public database and then use it to create a fake ID. Well, ex-banker and campaigner Graham Barrow has been pointing out for years just how easy it is to do this using the Companies House database. In a recent case, fraudsters stole the identities of a civil servant at the UK Ministry of Justice and an employee of the UK’s tax authority to set up shell companies (for likely use in money laundering). You can’t say that criminals don’t have a sense of humour.
So now we will add the card that we just issued (with a fake ID) as a source of funds in a BNPL app. Again, this card has nothing to do with me - if a debt collector decides to find me having information that I left in the system, they will struggle to do that. In other words, we could use anyone’s personal details to issue a virtual card and create a BNPL account.
You don’t need too much information to create a BNPL account
Step 3. Buying products
Once I set up a BNPL account, I looked at the list of stores that work with the provider to find a victim and ended up picking up H&M. Criminals would try to maximise their benefits and turnover rates. They’d buy gift cards to make the most money from BNPL fraud. H&M, though, does not allow purchases of gift cards using the BNPL scheme (smart of them!) So the next best option from the criminal’s perspective is to buy expensive but popular gadgets (iPhones, iPads, Nintendo, etc.). But I was more humble, and I simply decided to upgrade my socks and collected almost a £50 basket:
When you shop online, you have a billing address and a delivery address. A lot of checks are made around the billing address. If a customer sets one billing address in the BNPL app and a different billing address in the checkout form, the BNPL provider may notice that, and the purchase will be suspended. But the delivery address could be anything. It’s more common to deliver goods to a different address. Criminals would not order products using their real address, but using public addresses with easy access instead, such as a hotel reception or an apartment block with a concierge. And a lot of stores using BNPL services provide the perfect option: you can choose “collect from the store”.
The bottom line is that as long as the billing address in the basket is the same as the address in the BNPL system, they won’t get banned or checked. At the “checkout with the BNPL provider” step, depending on the current risk calculation, criminals will have a few options: pay 25% or 30% now and the rest within the next few weeks or pay everything in 30 days' time. Both of these options are quite lucrative if you do not plan to pay in the end.
BNPL providers offer the option to split payments into three across 60 days or to postpone the full payment for 30 days.
Step 4. Getting away with fraud
Fraud has been committed. What’s next? In 30 days, when a customer refuses to make his next payment, he will fall into a default category. Whose fault is that? Under current UK regulations, merchants are liable for any BNPL defaults. Most BNPL providers are not taking fraud risks on their shoulders; for the few that are, it’s a gesture of goodwill.
When a criminal refuses to pay, the victim of identity theft will receive a rather confusing letter
Now, let’s imagine that a merchant decided to sell the debt to a debt collecting agency that’s very eager to find the criminal. And it’s possible, in theory, if the criminal would use his real card, as well as I did this time.
Let me remind you of the long chain of instances involved in the crime:
- the real criminal’s card that was added to the Samsung Pay+. This card is the only piece of evidence that could lead to the fraudster;
- the Samsung Pay+ virtual card, issued under a fake name;
- BNPL account that’s issued under another fake name:
Simply speaking, if I were a collector, I’d put this case away and focus on something easier.
But what if criminals would like to hide their traces fully? They would have to find the answer to the question - “How easy is it to get a debit card using a fake ID?”
What can we do to stop that?
Modern fintech implements its services within the existing payment systems: mobile point-of-sale (POS) providers integrate their services between acquiring banks and merchants, BNPL providers wedge between merchants and customers, and mobile wallets and other gadgets sit between the customers and their issuing banks. But every time, fintech companies try to avoid taking any liability. The fintech ties itself to the payment chain and its profits but prefers to share the risks and responsibilities. I see a pattern here - “shared responsibility means no responsibility”. Instead of that, the right way would be to explicitly determine the liability according to functions, technical capabilities and revenue distribution of every part of the new chain.
For example, mobile payments like Apple Pay or Google Pay take a big slice of every executed payment. But in any fraud cases involving their devices, their stance towards the fintechs is: “We just provide infrastructure, it’s your name and logo on the technology!”. The same is true with BNPL: they’re not going to make KYC verifications, and neither are their customers, the merchants. Instead of that, they rely on the fact that it’s “impossible” to issue a debit card without proper verification. But once you have a black sheep in a herd, all your strategy falls apart.