How to protect your ‘Buy Now Pay Later’ (BNPL) account from hacks and data leaks in the UAE

Dubai: A UAE resident recently lost nearly Dh20,000 after his Buy Now, Pay Later (BNPL) account was hacked, with purchases made in his name - all without a single OTP or alert. Cybersecurity experts say such attacks are becoming more common, often involving sophisticated account takeovers that slip past weak authentication systems.

Despite these risks, BNPL services are growing rapidly in popularity. The appeal is clear: buy expensive items instantly and spread the cost over months. But along with the risk of overspending and mounting debt, experts warn there’s another danger consumers often overlook - fraud and large-scale data leaks.

Slava Demchuk, Certified Anti-Money Laundering (AML) Specialist and CEO of the global AML and KYC service platform AMLBot, told Gulf News he has seen a growing trend of Buy Now Pay Later (BNPL) platforms being targeted by fraudsters.

“This is because you have frictionless onboarding, quick purchases, there’s usually minimal KYC, much speedier approvals than through traditional financial providers,” he explained. “On top of it, due diligence is also an issue, as many function with minimal fraud checks, relying on half-done superficial identity verification.”

Demchuk emphasised that BNPL users must treat these platforms with the same caution as any other financial service, maintaining strong digital hygiene to protect personal and payment information.

Here are his expert tips for safer shopping on BNPL platforms:

As the market grows, Demchuk said BNPL providers must strengthen security and regulators will likely issue more stringent requirements on user identification. “BNPL systems are more convenient than they are fraud-resistant,” he said.

Harshvardhan Chunawala, a cybersecurity researcher at Carnegie Mellon, says BNPL services carry a set of risks that many consumers have never considered.

“The fundamental architecture of these platforms prioritises user convenience over security, creating attack surfaces that sophisticated threat actors are increasingly exploiting,” he explained.

According to Chunawala, BNPL platforms often collect far more information than is necessary for credit decisions, sometimes over a dozen distinct data points per user. “Your browsing patterns, location data, messaging history, and purchase behaviours are being collected, analysed, and often shared with third-party advertising networks,” he said.

This means that when breaches occur and they do so regularly, a significant volume of personal data can fall into the hands of cybercriminals, who may use it for identity theft, targeted phishing campaigns, or even physical security threats.

Research by Netherlands-based personal information removal service Incogni found that Buy Now Pay Later (BNPL) apps collect and share extensive user data. Afterpay topped the list, handling 20 different data types, followed by Klarna and Uplift with 19 each. Common data collected includes location, name, browsing history, phone number, and purchase history.

The study noted that BNPL platforms often use this data for vague, self-reported purposes and share it with third parties, creating a widespread flow of personal information.

From a technical perspective, BNPL platforms face what Chunawala calls ‘convenience vulnerabilities’. The fast approval processes that make them appealing also leave them open to automated attacks.

“Criminals may use ‘credential stuffing’ - testing stolen usernames and passwords from previous breaches across multiple platforms or synthetic identity fraud, which combines stolen and fabricated data to create convincing fake personas that evade basic security checks,” he said.

The delayed payment structure adds another layer of risk, creating longer windows for unauthorised transactions to occur before detection systems flag them.

“Attackers also use methods such as SIM swapping, where a victim’s phone number is transferred to a criminal’s device to intercept authentication codes.” The UAE is currenlty phasing out SIM and email one-time passwords (OTPs) for banks due to such vulnerabilities.

Chunawala advises consumers to take a proactive approach and “think like an attacker” when safeguarding their accounts: