How to protect against buy now, pay later (BNPL) fraud with Keyless
24 November 2022

How to protect against buy now, pay later (BNPL) fraud with Keyless

24 November 2022

The use of Buy Now, Pay Later (BNPL) platforms has skyrocketed in the past two years.

Companies such as Klarna, Clearpay & Affirm have become household names in their own right, as consumers embrace the idea of being able to purchase expensive items without needing to pay upfront. 

In addition to the obvious benefits of being able to afford items that are normally beyond a person's purchasing power, BNPL platforms have gained significant popularity due to their relatively frictionless approach to providing short-term consumer credit lines. 

BNPL websites rely on scant few details from applicants and, in many countries, don’t require a hard credit check. And despite economical constraints from the ongoing cost of living crisis in the UK and Europe, the BNPL market shows little to no signs of slowing down – with some of the world's most recognized fintechs PayPal and challenger bank Monzo, recently introducing their own BNPL payment schemes.

Unfortunately, as with virtually everything online, the popularity of BNPL has also attracted the attention of nefarious groups. Fraudsters and hackers are exploiting the lack of oversight on these payment platforms. 

BNPL is expected to be a major contributor to global fraud losses, which are forecast to surpass US $48 billion in 2023. Over the course of this article, we will highlight how BNPL platforms can enhance security and prevent fraud from occurring on their platforms. 

What is BNPL Fraud?

When discussing BNPL fraud, it’s important to understand the driving forces behind this type of fraud

Generally, onboarding processes for opening BNPL accounts tend to be less rigorous in terms of identity verification when compared to traditional financial institutions which are regulated. As such, it's easier for fraudsters to commit identity theft and fraudulently open a BNPL account using stolen personal information. It’s also lucrative for fraudsters to launch account takeover campaigns, aimed at compromising the login credentials and OTPs to hack into existing BNPL accounts. 

According to a recent report from Sift, the leaders in Digital Trust & Safety, account takeover (ATO) attacks on BNPL platforms have gone up 54% in the last year – with most stemming from compromised passwords and one time passwords (OTPs).

Signs of BNPL fraud

There are several tell-tale signs of BNPL fraud that BNPL platforms should look out for:

1. Unfamiliar devices

Due to most passwords and billing information being saved on a device or web browser that they’ve previously signed into, the majority of end users tend to stick to the same device when making purchases online. If an existing account has login attempts from a number of different devices, there is a greater chance that this account has been compromised.

2. Multiple addresses

When compromising a BNPL account, fraudsters may attempt to order goods to a new address. If purchases are suddenly being sent to a new address, this is a strong sign that a customer’s account may have been hacked.

3. Purchasing history

BNPL platforms should pay close attention to their customers' account order history, while also encouraging end users to review their order history if their personal data has been compromised. BNPL platforms should also look to re-authenticate a customer when an unfamiliar transaction occurs. Typically, a radical change in the type and price of the items purchased will indicate that an account has been breached.

Types of BNPL fraud

There are four types of BNPL fraud that customers and BNPL companies should pay close attention to.

1. Account Takeover Fraud

Account takeover (ATO) fraud is where a fraudster uses stolen credentials and personal information to hack into a genuine user's BNPL account. ATO attempts on a BNPL account may be secondary to email ATO and SIM Swapping attacks – which enable fraudsters to capture OTPs sent by the BNPL account during authentication. To make matters worse, many customers typically use similar, easily guessable, or already compromised passwords when creating an account. 

2. Identity Theft

Similar to an account takeover, identity theft will involve a criminal using stolen personal information (emails, passwords, identity documents, addresses) obtained from another data breach) to open an account with a BNPL platform like Klarna. Identity theft can go further, in some instances fraudsters use stolen passports, driver’s licenses, bank cards, and mobile phones to set up new BNPL accounts and make purchases using the stolen identification.

3. Synthetic Fraud

This type of fraud is not too dissimilar to identity theft, whereby a fraudster will set up a new account to make illegitimate purchases. However, synthetic fraud differs from identity theft because the information used to set up the account is typically fake.

4. Friendly Fraud

Friendly fraud refers to BNPL purchases often made by friends, family members, and young children that have accessed a customer’s device and made a purchase without the owner of the account being made aware.

What is Keyless & how can it help prevent BNPL fraud?

While BNPL fraud is alarming, it is possible for BNPL platforms to enhance their fraud prevention strategies by eliminating credentials, which are easily compromised, from the authentication journey. 

One of the best ways to prevent BNPL fraud is Keyless, the world’s most advanced passwordless authentication solution. Keyless enables BNPL platforms to enhance security by replacing credentials with biometric authentication. 

Biometrics have been proven to be safer and more secure than passwords and OTPs, both of which can be easily compromised with the right technology. With Keyless, customers are authenticated using a combination of advanced facial recognition software and background device verification checks that help to ensure that login attempts are coming from a known device.

In this way, Keyless offers frictionless strong authentication during authentication, or whenever a high-risk purchase or action is made, such as changing an address. 

Keyless also integrates with major eIDV/KYC vendors, helping to close the assurance gap between identity verification and customer authentication. Thanks to these integrations, Keyless is able to offer high assurance that the real person is logging in or attempting to make a purchase – making it difficult for fraudsters to use stolen personal information to open or hack into an account. 

Given the current global economic uncertainty, now is perhaps the best time to consider enhancing your authentication strategy by switching to a passwordless solution. Interested in learning more? Why not schedule a platform demo today?

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.