BNPL’s ease is its strength and also the source of its biggest security risks
BNPL is one of the biggest, fastest-growing, and well-funded segments in the Fintech market. It arose in the center of COVID to make buying goods easier and more accessible to all. Big, fast-growing markets like BNPL attract the boldest scams and fraud. In this blog, we’ll discuss the top 5 security challenges for buy now pay later mobile apps.
With an increasing number of banks and credit cards entering the BNPL market, and the growing use by consumers of Buy Now Pay Later, or BNPL apps, understanding the top 5 security challenges of Buy Now Pay Later apps is more important than ever.
What is a BNPL App?
According to PYMNTS.COM, one-quarter of U.S. merchants accept Buy Now Pay Later (BNPL) payments, and nearly 50% expect to accept BNPL payments in the near future. During the pandemic, use of point-of-sale loans provided by Buy Now Pay Later apps exploded. These apps allow millions of people access to micro-credit funds to purchase everything from trips, computers, to exercise equipment, paying for the items in installments after the purchase date.
This reverse layaway payment model is also here to stay. Based on a survey from Credit Karma, 44% of Americans say they already use BNPL services. According to InsideIntelligence, almost 75% of BNPL users in the U.S. are millenials or Gen Z. There is also no shortage in BNPL apps for users to choose from. According to Sensor Tower, there are approximately 100 BNPL mobile apps on the App Store and Google Play. In a September 2021 Accenture report, the number of Buy Now Pay Later users in the United States grew by more than 300% per year since 2018, reaching 45 million in 2021. Stand-alone Buy Now Pay Later apps include fast-growing Fintechs companies such as Affirm, Afterpay and Klarna.
The Top 5 Security Challenges for Buy Now Pay Later Apps
The ease of getting credit, limited to non-existent credit checks, overly simple application processes and surge in popularity in BNPL apps have drawn attention from attackers and hackers alike. For example, a recent Forbes article claimed that BNPL is the next big fraud risk for retailers. Public data breaches at Klarna and with Amazon Pay are just other examples of security risks in the buy now pay later industry.
Here are the top 5 security challenges faced by developer and users of Buy Now Pay Later Apps:
Weaponized Apps for Synthetic Identity Fraud
Given the ease of account set up, and limited transaction oversight, weaponized BNPL apps can be used, in combination with synthetic (false or fake) accounts and emulators, simulators and other automated systems to buy goods with no intention of paying. For example, a standard BNPL scam is to use BNPL apps to create a fake account, acquire a good, say bunch of PlayStation 5 consoles, make one payment, close the account and flip the merchandise at market prices online. Preventing the BNPL app from running on emulators, and blocking Android players, debuggers and other automated environments like ADB is a quick and easy step to prevent weaponized apps used in BNPL fraud.
Overlay and Keylogging Attacks for Identity Theft and ATOs
Malicious screen overlays, where a fake or hidden screen is placed over the real screen or entry field, and keylogging malware are used to harvest username, passwords and other user secrets. Using these tools, fraudsters can easily gain access to a user’s mobile or online account, execute an Account Takeover, and lock the legitimate user out of his/her account. To stop this class of attack, preventing Overlays and blocking Keylogging are quick and easy remedies to safeguard username and passwords in your BNPL app.
BNPL Data and API Breaches
BNPL apps, like credit card apps, have a bounty of mobile user, PII, transaction and other commercial data of consumers stored within them. All of them also have hardcoded API endpoints, API keys and tokens to payment processing and third-party services that are used by the app to operate and provide transactions to their users. To protect mobile app data at rest and data in transit, including API endpoints stored in the app, BNPL mobile apps should include data-at-rest encryption, string and resource encryption and MiTM prevention. Additional level of protection for BNPL mobile app data can be had with jailbreak and root prevention.
Trojan BNPL Apps
The ease of account creation and speed to first purchase can give consumers a false sense of security when downloading a BNPL app. What if that promise of fast, low barrier to entry credit, to make one the spot purchases resulted in the user actually downloading a modified BNPL apps containing malware? Imagine the havoc that a maliciously modified BNPL app could wreak on an unsuspecting mobile user. To prevent your BNPL mobile app from becoming a malware trojan, developers and security leaders at BNPL apps should add mobile application specifically to stop mobile app tampering, repackaging, and resigning.
Hacking and Fraudster Research
Pretty much all BNPL fraud and exploits start and end with the ability of the hacker or fraudster to research the BNPL mobile app, discover how it works, and how to invoke its primary workflows, including purchases. To prevent malicious research, developers of BNPL apps should obfuscate the BNPL app code as well as block instrumentation tools like Frida and other Dynamic Binary Instrumentation toolkits.
There are several other mobile protections and security features that developers and security leaders at BNPL apps can take to safeguard transactions, protect users and deliver amazing purchase experiences to their users. Security leaders at BNPL apps don’t have to stop at the recommendations above.
BNPL speed, at the business level, needs to be matched by its security solutions. No market, more than BNPL, should embrace shift-left security models more. Developers of BNPL apps should follow shift-left and should start building security features into mobile apps as early as possible in the development lifecycle.
I’d love to help with your security project and help your BNPL mobile app overcome the challenges you are facing. Let me show how you can protect against threats to your mobile app. Please reach out to us for a demo!