Quite a lot of security problems are someone fucking up something they shouldn't have. But honestly I haven't a clue.

Imagine a validation logic error that allows an evil actor to pass credit checks with arbitrary personal details.

Hackers use this to make many orders using fake personal information. In BNPL, all losses are covered by the BNPL provider - so merchants get their money, criminals get random stuff for resale, and BNPL have to foot the bill.