Daybreak - Why BNPL platforms have become a playground for cybercriminals
Episode Date: October 18, 2023BNPL (Buy Now Pay Later) is becoming popular in India because it offers short-term financing options, financial flexibility, affordability, and smaller credit lines. In fact, the BNPL market ...expected to reach $35–40 billion by 2026 from $3.5–4 billion in 2021.But unlike credit cards, BNPL services lack security and many customers are left vulnerable to vishing (voice phising) scams. Most of them are via Olamoney and Mobikwik ZIP. Meanwhile, more than two-thirds of cybercrimes in India are now online and vishing scams account for 5.3% of such crimes. To make matters worse, there is little recourse for defrauded BNPL customers because proper consumer-protection guidelines are not in place. And even though they were scammed, many of them are being forced to clear their dues for transactions they never made.Tune in.RecommendationFirst Principles Ep.27: Lalit Keshre of Groww on being far-sighted, intuitive and absolutely obsessed with your customer🎧Spotify🎧AppleDaybreak is produced from the newsroom of The Ken, India's first subscriber-only business news platform. Subscribe for more exclusive, deeply-reported, and analytical business stories
Transcript
Discussion (0)
Hi, this is Rohan Dharma Kumar.
If you've heard any of the Ken's podcasts, you've probably heard me, my interruptions, my analogies,
and my contrarian takes on most topics.
And you might rightly be wondering why am I interrupting this episode too.
It's for a special announcement.
For the last few months, I and Sita Raman Ganeshan, my colleague and the Ken's deputy editor,
have been working on an ambitious new podcast.
It's called Intermission.
We want to tell the secret sauce stories of India's greatest companies.
Stories of how they were born, how they fought to survive, how they build their organizations and culture,
how they manage to innovate and thrive over decades, and most importantly, how they're poised today.
To do that, Sita and I have been reading books, poring over reports, going through financial statements, digging up archives, and talking to dozens of people.
And if that wasn't enough, we also decided to throw in video into the mix.
Yes, you heard that right.
Intermission has also had to find its footing in the world of multi-camera shoots in professional studios, laborious editing, and extensive post-production.
Sita and I are still reeling from the intensity of our first studio recording.
Intermission launches on March 23rd.
To get alert, as soon as we release our first video.
episode, please follow intermission on Spotify and Apple Podcasts or subscribe to the Ken's
YouTube channel. You can find all of the links at the ken.com slash I am. With that, back to your
episode. Time in July this year, Saptashi Bhattacharya, a 39-year-old HR executive from Mumbai,
got a call from Ola Mani's post-paid official IVR customer service number.
080-371-0-1-3-8.
IVR stands for interactive voice response.
You know the ones with pre-recorded messages that ask you to dial one for A, 2 for B and so on.
And OLA Money Postpaid is a buy-now pay-l-l or BNPL credit facility given by OLA, the ride-hailing company, to its customers.
So, Subtoshi gets a call from this number, he picks up, and he dials one, and then he disconnects.
Next thing, he knows there are messages on his phone informing him of three successful transactions.
What transactions?
Now, cut to Bangalore around the same time.
A person, let's call him X, we cannot take their real name because they did not want us to.
So X was using another BNPL platform called Moby Quick Zip.
They got an OTP, they typed it in and suddenly a transaction of more than $30,000 rupees took place.
Now, can you guess what is common between both of these stories?
Of course, they're both victims of online fraud,
but it was a very specific type of fraud called a wishing scam,
like a fishing scam but with a voice.
And these wishing scams are rising quite fast.
In fact, online financial frauds in general are rising.
More than two-thirds of cybercrimes in India are actually online.
And wishing scams make up more than 5%
of such crimes.
If you think about online financial scams, you'll notice how over time they're just getting
more and more sophisticated.
It is getting harder for us to tell the difference between what is genuine and what is fake.
In fact, there are many instances of people getting calls from these IVR numbers telling
them that they're going to help you secure your BNPL account from fraud.
And then you get defrauded.
These scams are getting quite meta.
And the easiest targets for these scamsters are BNPL customers
because they lack the kind of security and safety that banks offer.
Plus, there are barely any consumer protection guidelines in place for them.
And what's worst is that people who use these BNPL products are usually financially vulnerable.
Welcome to Daybreak, a business podcast from the Ken.
I'm your host, Nick Da Sharma, and I Don't Chase the News Cycle.
Instead, thrice a week on Monday's winter.
Wednesdays and Fridays, I will come to you with one business story that is worth understanding
and worth your time.
Today is Wednesday, the 18th of October.
In India, it is the Reserve Bank or the RBI that regulates BNPL products through its
digital lending rules.
Now, not just here, but even in other countries, BNPL is becoming quite popular.
And that is because it offers short-term financing options, financial flexibility, affordability,
and smaller credit lines.
BNPL products are almost like a credit card.
But the problem is that they're not secure enough
and they have quite a significant design flaw.
There is basically no way to detect fraud.
Praveen Kallai Selvin, the founder of Save Them India Foundation,
which is a cybersecurity activism NGO, spoke to my colleague Shivani Varma.
He told her how these complaints have increased in the last three months
and he pointed out how most of them are from Ola Money and Moby QuickZip customers.
And a few of them are from users of phone pay, Bajajan-Serve and also Amazon Pay.
And he explained to us why these kinds of scams are favored by fraudsters.
Basically, there are two reasons.
One is that the responsibility and liability of the fraudulent transaction
falls directly on the customer.
And number two is that these transactions are very important.
very, very hard to trace. And why it is a dangerous trend is because of the scale of the susceptible
targets. The BNPL user base in India is expected to reach 80 to 100 million by 2026. For comparison,
India had over 86 million credit cards as of April this year. So how do these fake IVR calls
actually work? Stay tuned to find out, but before that, my colleague Akshire has something to
tell you. You've probably heard of Gru. Maybe you've seen one of their YouTube videos explaining
what a mutual fund or an SIP is. Or you might even be using Gru to invest your own money.
It's a financial services platform, a mutual fund's marketplace, and it was last valued
at $3 billion. And this was a very popular and a very common idea even seven or eight years ago.
When Lullit and his co-founders were knocking on doors trying to doze.
to get funding for Grow.
So why then did investors put their money into it?
If there were already dozens of these companies in the same space,
and some of them even listed.
We got Lalit Kesh Re, the co-founder of Grow on our leadership podcast,
first principles hosted by Rohan Darmakumar.
And Rohan asked Lalit a simple question on the podcast.
What set Grow apart from the other players?
And very interestingly, Lullid said there was a formula, a four-step formula that he and his co-founders used to carve a niche for themselves.
And in his opinion, this is a formula that every direct-to-consumer product needs to be thinking about.
In fact, he broke this formula down in great detail on this particular episode of First Principles.
Along with that, he also talked about his love for his customers,
how to delight them, how to really understand them,
and how to be obsessed with them.
I highly recommend you listen to the whole episode
and keep an ear out for the four-step formula.
The link to this episode is in the show notes,
or you can just look up first principles by the Ken wherever you get your podcast.
I am Akshya from the Ken's Newsroom.
Thank you for listening to us.
If you like what we do, please rate and review us.
wherever you get your podcast. And now back to Snickda.
The idea behind the way that these scamsters operate is to basically appear as legitimate as
possible. As online frauds increase in number, customers are also becoming more and more
aware of them. They are better at telling them about, which is why scamsters are constantly
finding finer and more legit looking methods to scam people. Kallai Selvon told
the Kent, that they make it seem like the call is from an official source, and that is how
they get the victim's trust. The scam continues by telling the victim about a supposed attempt
to change their personal information and that they need to take immediate action to secure their
account. Scammers also make unauthorized purchases, which is often in the form of coupons or
vouchers from platforms like Woohoo, Quicksilver, Amazon, Flipcard, and other e-commerce websites.
then they sell these coupons in the black market in return for money.
But that still does not explain how customers get these calls
from the official numbers of these BNPL platforms.
It is a bit complicated, but Anand Venkut and Arayan,
a cybersecurity researcher, helped us understand.
He is the co-founder of Deep Strat,
which is a New Delhi-based risk mitigation and cybersecurity advisory.
He told us that these support numbers are DID or direct inward dialing numbers which are hosted on a cloud.
And this functionality is offered by many providers through a web portal.
So anyone who has credentials to access the portal can not only obtain the DID numbers call logs,
but also make outgoing calls from this number by using a simple dialer app.
This means either the DID number credentials have been leaked to the scammers or, worse, there is an insider letting the scamsters use the portal through the standard automated dialer app.
But what about the cases where customers did not even share an OTP?
Venkut and Arrainen said that there are various ways to capture the OTPs.
He said that fraudsters have access to the systems within the companies.
For example, if I can send you an OTP to your number to authorize a transaction,
what would prevent me from filling it in myself because I'm an insider?
End quote.
So, if you think OTPs are secure, this is the best example to show you that it is not.
At least not anymore.
So OTPs only work effectively, at least partly effectively, if they are used for additional
factor authentication.
In 2008, the RBI had made two-factor authentication or two-fa mandatory for all mobile banking transactions.
But again, even two-fas are not entirely safe anymore.
Yes, they do help reduce fraud to a large extent, but their impact has also become weaker.
Coming up next, how do cybercriminals decide who to target?
Kallai Selvin told Shivani that scammers use more.
mask-calling techniques to reach a larger set of victims after they get their phone numbers
from public directories, leaked databases, and sometimes even through automated dialing systems
that generate random phone numbers.
N.S. NAPINI, an advocate with the Supreme Court and the founder of CyberSathe, told
the ken that scammers are using the post-paid customers information and are being able to get
the money out through the platform.
And because BNPL customers do not have any recourse in the form of consumer protection guidelines,
most victims of these scams get no help from their service providers.
Instead, the companies come after them to push them to clear their dues
or they are forced to disable their BNPL accounts because of the pending payments.
Daybreak is produced from the Newsroom of the Ken, India's first subscriber-focused business news platform.
What you're listening to is just a small sample of our subscriber-only offerings.
A full subscription unlocks daily long-form feature stories, newsletters,
subscriber-only apps and podcast extras.
Head to the ken.com and click on the red subscribe button on the top of the website.
I am Snigda Sharma, your host, and today's episode was edited by my colleague Rajiv Sien.