This information does not need to come from the outside. You may get the list of painful spots from your internal teams, like antifraud or risk management.
Overall, this information should give you a sense of direction. It will also help to measure the success of a Red Team exercise. If no one wanted to hack you before, you’ve spent $50k, and no one is hacking you after - that is merely a success for the business. It would be great to show the reduction in particular fraud numbers instead.
Check 1. Account takeover
We will start with some common techniques and will gradually increase the complexity of our checks. One of the widest threats against any financial organisation is the account takeover, which increased by 121% in 2022. For these methods, criminals get access to victims’ accounts in one way or another. It could be spread phishing or a lack of two-factor authentication and easy-to-guess passwords. Sometimes criminals could compromise emails and/or use leaked password databases. The ways how criminals could get access to an account stay outside of this article and our exercises. The vital part for the Red Team is the question – what can criminals do once they compromise the account?
Can they change the buyer’s address and immediately order something?
Can criminals collect purchases in-store instead of disclosing their own addresses?
Does a victim get notifications about recent purchases, and could a criminal change victim’s email to avoid that?
What else could be done once you’re in the system without requesting additional one-time codes, such as resetting the account password or changing personal details?
What are the password policies?
Does the system allow accounts without two-factor authentication? Bear in mind that some of the verification methods are weaker than others, e.g. one-time codes delivered by automated calls can be sent to a voicemail and hacked later.
Even if you protect accounts or financial operations with one-time codes, it does not mean that these codes cannot be enumerated or bypassed in other ways.
Can any other automation methods be used by criminals, like password-spraying attacks?
Once the account is compromised, can criminals use the “pay in three”* function with the victim’s card without additional card verification, known as 3D-Secure?
* “pay in three” or “pay in four” are common offerings across BNPL providers when payments are split across instalments over time.
Check 2. Onboarding and KYC checks
BNPL providers are not banks, so regulators do not force them to comply with anti-money laundering frameworks. It is the main reason why onboarding checks are so lenient, and every BNPL provider is full of fake accounts. Finding gaps in various onboarding checks is kind of what I have been doing in the last twelve months. Earlier, we published how to open fake accounts at one of the big BNPL providers. Unfortunately, that article made a few fintech companies upset, and they didn’t try to hide that (blurred screenshots?).
What shall red teamers focus on during the process:
What kind of due diligence is in place? Is it possible to open a fake account at a marketplace and attach it to a freshly created BNPL account using a fake name and address?
If not, what pieces of information are required? DOB, legit address, correct first and last name? ID verification? We have shown that it is easy to get these details using public databases like Companies House.
If you can open one account, can you open a dozen? Do your team need to rotate IP addresses for that and use multiple devices?
Are these accounts connected anyhow in the internal scoring system?
Check 3. Going deeper into the BNPL application process
Now it’s time to investigate the application specifics a bit more. The main target here is a mobile or desktop API and website integration that is used for purchase application handling. Some features that could be abused by criminals are:
Can criminals move money using the assessed marketplace? For example, by making a purchase using BNPL money and issuing a refund to a different source of funds?
Can you bypass the minimum or maximum application amount?
Can you abuse and modify the conditions on which money is borrowed? For example, could “pay in three” be modified to change the first payment to zero?
Can you create more than one application simultaneously or in concurrency? This is known as Race Condition.
If the application has been rejected, can you modify the pieces of information and reapply to borrow the money?
If the application has been rejected, will the purchase of a low-price product immediately change that? This common technique is known as “pump and dump”.
Check 4. Virtual cards
It’s a handy and useful feature - to have a virtual card that is issued for a specific purchase at a specific shop. What could go wrong with it?
Could the card be used not only at the shop it was issued for?
How strict are the expiration date and the limits of the card?
Could the card be used to issue a mobile wallet like Apple Pay or GPay?
If yes, these wallets could be used for fraudulent payments when terminals don’t process payments online. This is still a common practice at some US shops for payments below certain limits. In Europe, you can meet offline terminals in the underground or on cruise ships and planes.
Could a criminal issue multiple cards in concurrency utilising Race Condition attack?
How can transaction flows be abused by criminals? Purchases, pre-authorisation, refunds, multiple sources of funds - all of these elements of the payment flow could be abused at scale for money movements or making a direct profit from BNPL providers.
The card BIN range should be scrutinised separately. Each provider will have a limited range of cards they issue on a daily basis. What happens with the card once it’s been destroyed? Could criminals somehow predict someone else’s card requisites or use them after the card has been destroyed?
Check 5. Merchant fraud
Merchants have the power - to issue refunds, move money from one pocket to another and so on. That is why malicious merchants pose the biggest threat to fraud fighters at every step of the payment process. This website would not exist if not our first card research project. In fact, it was all possible because of the low thresholds for opening business accounts in the UK.
If you think that criminals don’t like to use merchant accounts to leave any trails of their identities, think twice. Criminals don’t even need to leave their real details as they can open business accounts using fake information. If you subscribe to Graham Barrow on LinkedIn or Twitter, it won't take too long to realise how easy it is to open a fake business account these days. To make it even worse, big marketplace platforms like eBay or Etsy don’t require to have business accounts at all, preferring to work with individuals. That’s one of the reasons why these platforms heavily suffer from all kinds of “seller fraud”. A couple of things you may want to test in your platform: