Red Team testing for BNPL providers

So many words were said about Buy Now Pay Later (BNPL) fraud. So many fancy terms were invented: buy-now-pay-never, buy-now-pay-less. But we are still in a time and place where BNPL fraud is thriving. The entry level for BNPL scam methods is ridiculously low. So many offerings on the Internet on how to grab a couple of hundred from a provider and don’t pay a penny. And the main victims here are merchants who recklessly decided to have a BNPL option on their checkout page.

A proposal on a dark web forum about a working method to defraud shops using one of BNPL providers

In our blog, we write about fraud in general, and we’ve covered BNPL fraud in particular. But not because we want criminals to utilise schemes that we uncover. It is important to highlight these vulnerabilities and make them public to put peer pressure on companies that do not want to take any steps to improve their security, leaving sellers without protection. To remind you again, sellers have the burden of any fraud occurring with BNPL. Hence they’re the main victims of fraud.

Today we are taking the next step: we will depict in detail some of BNPL's fraudulent methods. Again, not to give advice to criminals but to help those who want help. The main audience who will find this article useful is BNPL providers themselves and big merchants who use them. What about smaller businesses, and what can they do? To be honest, not too much. Because they would not have extra budgets or internal resources to conduct Red Team exercises, they can only hope to stay below scammers’ radars.

Planning a BNPL Red Team exercise

So you are a big company, let’s say a marketplace like Amazon or eBay, with a dedicated security team, and you decided to use a BNPL provider at your checkout. Or maybe you’re a BNPL provider who really wants to know the actual level of security and what financial risks lie in your system. We suggest conducting Red Team exercises to simulate a few BNPL fraudulent scenarios and to reveal the gaps before criminals.

What is Red Team for a fintech? It is something above and beyond just an appsec audit or an infrastructure pentest. It is a mix of hacking techniques that lead to a simple goal - simulated and controlled “robbery”, whether your specialists will be able to steal money from each other’s accounts or from the business. It is also vital to use a mix of technical vulnerabilities and gaps in risk controls, such as insufficient antifraud rules. Just because the results of these exercises should be digested into solutions and the remediation plan for your systems.

It is not very helpful If you simulate a “hit and run” robbery against your CEO, as there’s nothing you can change in your infrastructure and systems to prevent this in the future. But if you will show how criminals could open and use fake accounts and start borrowing money from a BNPL provider without any intentions to pay this money back. If you break down all technical and organisational measures that were meant to reduce these risks - that will be a useful Red Team exercise.

You need a real A-Team for this job! Security engineers or developers from the inside won’t help here. What you need instead is at least one good application security expert who knows well how to find vulnerabilities in business logic.

It’s a matter of personal choice if experts want any preliminary knowledge of the evaluated system or if they prefer to use a black-box approach at first. It certainly will be more productive if you will have a feedback mechanism of some kind. For example, if the expert account was blocked, it is useful to know why instead of trying to knock on each locked door.

Let’s try and look in detail at how these exercises may look. What are the goals? What expertise will your team need?

Check 0. Threat intelligence

Step zero - always be close to the ground. What fraud do your business or your competitors suffer from? What are criminals up to these days? You don’t need to hire an expensive TI company, you need a list of popular resources that hackers in your topic use. For example, hackers who hack games like to promote their services on Discord channels. Prolific platforms for fintech hackers are Telegram and some regional forums:

Common proposals for scamming methods against merchants which use popular BNPL brands.

This information does not need to come from the outside. You may get the list of painful spots from your internal teams, like antifraud or risk management.

Overall, this information should give you a sense of direction. It will also help to measure the success of a Red Team exercise. If no one wanted to hack you before, you’ve spent $50k, and no one is hacking you after - that is merely a success for the business. It would be great to show the reduction in particular fraud numbers instead.

Check 1. Account takeover

We will start with some common techniques and will gradually increase the complexity of our checks. One of the widest threats against any financial organisation is the account takeover, which increased by 121% in 2022. For these methods, criminals get access to victims’ accounts in one way or another. It could be spread phishing or a lack of two-factor authentication and easy-to-guess passwords. Sometimes criminals could compromise emails and/or use leaked password databases. The ways how criminals could get access to an account stay outside of this article and our exercises. The vital part for the Red Team is the question – what can criminals do once they compromise the account?

Can they change the buyer’s address and immediately order something?
Can criminals collect purchases in-store instead of disclosing their own addresses?
Does a victim get notifications about recent purchases, and could a criminal change victim’s email to avoid that?
What else could be done once you’re in the system without requesting additional one-time codes, such as resetting the account password or changing personal details?
What are the password policies?
Does the system allow accounts without two-factor authentication? Bear in mind that some of the verification methods are weaker than others, e.g. one-time codes delivered by automated calls can be sent to a voicemail and hacked later.
Even if you protect accounts or financial operations with one-time codes, it does not mean that these codes cannot be enumerated or bypassed in other ways.
Can any other automation methods be used by criminals, like password-spraying attacks?
Once the account is compromised, can criminals use the “pay in three”* function with the victim’s card without additional card verification, known as 3D-Secure?

* “pay in three” or “pay in four” are common offerings across BNPL providers when payments are split across instalments over time.

Check 2. Onboarding and KYC checks

BNPL providers are not banks, so regulators do not force them to comply with anti-money laundering frameworks. It is the main reason why onboarding checks are so lenient, and every BNPL provider is full of fake accounts. Finding gaps in various onboarding checks is kind of what I have been doing in the last twelve months. Earlier, we published how to open fake accounts at one of the big BNPL providers. Unfortunately, that article made a few fintech companies upset, and they didn’t try to hide that (blurred screenshots?).

What shall red teamers focus on during the process:

What kind of due diligence is in place? Is it possible to open a fake account at a marketplace and attach it to a freshly created BNPL account using a fake name and address?
If not, what pieces of information are required? DOB, legit address, correct first and last name? ID verification? We have shown that it is easy to get these details using public databases like Companies House.
If you can open one account, can you open a dozen? Do your team need to rotate IP addresses for that and use multiple devices?
Are these accounts connected anyhow in the internal scoring system?

Check 3. Going deeper into the BNPL application process

Now it’s time to investigate the application specifics a bit more. The main target here is a mobile or desktop API and website integration that is used for purchase application handling. Some features that could be abused by criminals are:

Can criminals move money using the assessed marketplace? For example, by making a purchase using BNPL money and issuing a refund to a different source of funds?
Can you bypass the minimum or maximum application amount?
Can you abuse and modify the conditions on which money is borrowed? For example, could “pay in three” be modified to change the first payment to zero?
Can you create more than one application simultaneously or in concurrency? This is known as Race Condition.
If the application has been rejected, can you modify the pieces of information and reapply to borrow the money?
If the application has been rejected, will the purchase of a low-price product immediately change that? This common technique is known as “pump and dump”.

Check 4. Virtual cards

It’s a handy and useful feature - to have a virtual card that is issued for a specific purchase at a specific shop. What could go wrong with it?

Could the card be used not only at the shop it was issued for?
How strict are the expiration date and the limits of the card?
Could the card be used to issue a mobile wallet like Apple Pay or GPay?

If yes, these wallets could be used for fraudulent payments when terminals don’t process payments online. This is still a common practice at some US shops for payments below certain limits. In Europe, you can meet offline terminals in the underground or on cruise ships and planes.

Could a criminal issue multiple cards in concurrency utilising Race Condition attack?
How can transaction flows be abused by criminals? Purchases, pre-authorisation, refunds, multiple sources of funds - all of these elements of the payment flow could be abused at scale for money movements or making a direct profit from BNPL providers.
The card BIN range should be scrutinised separately. Each provider will have a limited range of cards they issue on a daily basis. What happens with the card once it’s been destroyed? Could criminals somehow predict someone else’s card requisites or use them after the card has been destroyed?

Check 5. Merchant fraud

Merchants have the power - to issue refunds, move money from one pocket to another and so on. That is why malicious merchants pose the biggest threat to fraud fighters at every step of the payment process. This website would not exist if not our first card research project. In fact, it was all possible because of the low thresholds for opening business accounts in the UK.

If you think that criminals don’t like to use merchant accounts to leave any trails of their identities, think twice. Criminals don’t even need to leave their real details as they can open business accounts using fake information. If you subscribe to Graham Barrow on LinkedIn or Twitter, it won't take too long to realise how easy it is to open a fake business account these days. To make it even worse, big marketplace platforms like eBay or Etsy don’t require to have business accounts at all, preferring to work with individuals. That’s one of the reasons why these platforms heavily suffer from all kinds of “seller fraud”. A couple of things you may want to test in your platform:

A lot of times, BNPL is used to amplify other fraudulent schemes. Do you suffer already from refund fraud? Think twice before giving your customers options to pay even less for your products:

An Ad recommends using BNPL providers to amplify refund fraud

The easiest way to “make” money from a BNPL provider is to open a seller account. Then criminals place fake orders and borrow money to pay for their own “goods”. This will lead to money being made from air. Do you think your platform is well-protected against it? Check it yourself before fraudsters will, as we did on one of the biggest marketplaces in the UK:

You should create a fresh seller’s account at your marketplace and list something that will not bring a lot of attention. Don’t try to sell a “brand new iPhone” - it will likely be banned immediately. Sell a pair of joggers for £20. It also needs to be reviewed how old the accounts should be to allow listing goods without being banned by antifraud.
After the fake item is listed, you create another account which is posed as a “buyer”. During the checkout, the buyer chooses “pay later” or “pay in three”.
The buyer pays only £6.66, but the seller receives £20 once the purchase is settled (a parcel has been sent by the fake seller and received by the fake buyer).

In conclusion

Many intermediaries are now wedged in the payment process. We have BNPL providers who let money to the buyers, we have marketplaces that take a chunk for listing sellers’ positions. We have payment providers who handle money transfers from former to latter. But I like to point out that “shared responsibility means no responsibility”. And the last example with a fake seller is indicative of that problem. Who’s fault is that the fraud could be committed in such an easy way at some large marketplaces? Who pays for this fraud?