Ron Zayas (13:54)

Foreign.

Dave Bittner (14:00)

Identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how Ron Zias is CEO of Ironwall by Incogni. I recently caught up with him on the Caveat podcast to discuss the massive data sharing and privacy risks in leading Buy Now Pay later apps.

Ron Zayas (15:01)

So when you go to Buy now, you have a couple of different options where you could buy, for example on credit, you could buy on cash. But there's something in the middle there which is Buy Now Pay later, which they give you the option to pay over time. They don't ask a lot about your credit. They break up payments into something in a very short period of time. There may or may not be interest involved, but it allows you to look at something, and Instead of spending $250 to buy a pair of shoes, it's, you know, $50 a week or $50 a month for a short period of time. And it seems a lot more palatable to be able to do that.

Dave Bittner (15:43)

So who are these folks targeting here? Is this folks who may not have a credit card?

Ron Zayas (15:50)

It's not so much people who. Who may not have a credit card. It may be more people who have maxed out their credit card. It is definitely tending to go to a younger demographic. It's also looking for, and that would be somebody in their 20s. It's looking for people who are doing a lot of impulse buys. So they're usually not buying emergencies, and they're really directed from. The retailers are pushing this out because it does two things. Number one, it tends to encourage people to spend more. And two, when you buy now, pay later, and you're buying over time, you can't return the product. So it makes the refund rates a lot higher or, you know, a lot lower so that retailers are more confident about the sales that they do.

Dave Bittner (16:38)

Ah, that's an aspect I had not considered. That's fascinating. So you and your team looked into some of these apps, and what are some of the things that you all found?

Ron Zayas (16:48)

So, first of all, as you can imagine, with a lot of apps nowadays, they collect a lot of information. They tend to know. They tend to know a lot of what's out there. They tend to not just make their money and what their business is, but they make their money and productizing the people who use the product. So what we looked at was, okay, how much information are they collecting? What are they using it for? And then what are your rights under the product? And which ones of these are the most. What we call leaky, which are the ones that are collecting a lot of information that really doesn't have anything to do with the transaction.

Dave Bittner (17:32)

And what sort of things did you find?

Ron Zayas (17:35)

It's not surprising. They're very leaky. You know, you have top ones like Kwama and Affirm and Afterpay, and they tend to collect. They're very popular. And they tend to collect not only a lot of information just from the transaction part. What's your name? What's your address? What's your phone number? Because it's a mobile app, you know, all stuff that can be monetized very, very well. But on top of that, what they're doing is some of them are collecting where you are all the time. Some of them are collecting, you know, so they're looking at your GPS information, They're looking at cookies from other websites and maybe even information from other mobile apps that you may be using. They're looking at your contacts information. So they're collecting a lot of information that has nothing to do with the transaction. And really what they're doing is they're monetizing you as part of their business model.

Dave Bittner (18:30)

I feel as though I already know the answer to this question, but I'll ask it anyway. To what degree are they informing their users that this information is being collected and shared?

Ron Zayas (18:41)

Well, if you're willing to read through a very oblique and long privacy statement, to a degree, they're telling you that. But even when you go through the privacy statements, and we're experts, we do this all the time, a lot of times you sit there going, huh? The privacy statement will tell you that they collect information as part of doing business. It'll say that sometimes they share that information to give you a better experience. And it'll say, and some of the places that are. Some of the types of information we could collect are A, B and C. None of them go into all the detail of everything they're collecting. None of them are very specific in what they do. And the important thing to remember with everybody's privacy statement, especially in the U.S. they're guidelines. It's not a contract. They can change it at any time, and they often do. So they're not giving you a lot of insight into what they're doing with it. And, and you should know that, you know, some, like Afterplay, they Collect, they have 17 different data types of categories of information that they collect and that they share with third parties, including your credit scores. Although this is supposed to be a replacement for having to do something in.

Dave Bittner (19:55)

Credit, you know, it's hard for me to decide, I guess for myself, the degree to which these buy now, pay later apps are just providing a legal, legitimate service and the degree to which they're kind of predatory here. And I mean, is that a fair thing to wonder about?

Ron Zayas (20:16)

That's a very fair question to wonder about. You know, and again, when you look at things like this, the first thing you look at is the convenience. Is it convenient for me to be able to buy something and pay it off over time? I mean, obviously that's the Underpinning of a lot of the capitalist system, the ability to buy on credit leverages what we can buy and what kind of wealth we can have. It also has a lot of downside that we can get in over our heads. Then you go from traditional credit, like a credit card or a bank loan, to being something like this. And it could be, you know, a payday loan, it could be these type of buy now, pay later where they're really encouraging and they're really getting you to act upon those impulse buys again. The majority of purchases that are being done here, they're not being done for a refrigerator that breaks down. They're not being done for a part that you need for your car. They're impulse buys, they're shopping buys. So they're encouraging you to spend more. And on top of that, they're pulling in information from you and they're monetizing it again. So you're kind of paying twice you, even if you don't think you're paying for interest. And some of them do have very hefty fees if you don't pay. But that's, that's outside of the scope of what our research was really though, even if you're, if you're paying on time and you're getting the benefit of it, they're also taking your information and you're paying for it again because when your information gets leaked, when it gets hacked, when it gets shared, oftentimes you're going to pay money. You're going to pay money to companies like ours that go out and take all that information and remove it. You're going to pay in identity theft, you're going to pay in other ways because of information that other companies have taken from you. Without really being upfront and saying, we're going to steal your information. You know, we're going to use it for these things and we're going to sell it to these people. So I don't think you feel, I don't think you're wrong in feeling that there's a little bit of victimization that's going on here.

Dave Bittner (22:17)

That's Ron Zayas from Ironwall by Incogni. You can hear our complete conversation over on the Caveat podcast, wherever you get your favorite podcasts. And now a word from our sponsor, ThreatLocker, the powerful Zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

CeeDee Lamb (23:17)

Hey guys, it's Ceedee Lamb, wide receiver for the Dallas Cowboys. I'm partnering with Abercrombie this season to tell you all about their viral denim. All you need to know is denim should fit like this. My jeans need to check a lot of boxes fit first, trend second. They need to go with whatever I'm feeling and Abercrombie Denim has it down whether I'm throwing on a tee or putting a whole fit together. Shop Abercrombie Denim in the app, online and in store.

Dave Bittner (23:52)

And finally, the Commonwealth bank of Australia has performed a neat corporate backflip, reinstating 45 jobs it had proudly declared obsolete thanks to its shiny new AI Voicebot. At the time, CBA insisted the bot would lighten workloads and trim calls. In reality, call volumes spiked, managers were yanked onto phones, and overtime became the hottest item on the menu. The finance sector union promptly hauled the bank before the Fair Work Commission, declaring victory after CBA admitted it had made a, shall we say, miscalculation? Affected staff can now keep their jobs, redeploy or leave altogether, although the union dryly noted the damage was done. Critics say CBA tried to rebrand job cuts as innovation even as the bank reported a record $10.25 billion profit. Meanwhile, CEO Matt Komen mused on AI's long term potential while also acknowledging the bank had recently hired thousands of mostly in India. Evidently the future is automated, just not evenly distributed. And that's the Cyber Wire. For link to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show Notes. Please take a minute and check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. You say you'll never join the Navy, that you never track storms brewing in the Atlantic, and skydiving could never be part of your commute. You'd never climb Mount Fuji on a port visit or fly so fast you break the sound barrier. Joining the Navy sounds crazy saying never actually is. Start your journey at navy.com, america's Navy, forged by the sea.