20 tips for Consumers & Merchants to Fight Back Against BIN Attacks & Card Testing Fraud
Americans lost $8.8 billion in 2022 due to credit card fraud, according to new data published by the FTC. This covers attacks involving a lot of different tactics. However, one specific technique known as a BIN attack has become a standout issue in the last couple of years.
Criminals engaging in BIN attacks use a “brute force” method. This involves systematically guessing all possible combinations of credit card details, typically using a bot network to do so, until they find a valid account number. Once they do, they can then use that information to commit all kinds of fraud in the cardholder’s name.
So, what is a BIN attack exactly? How can consumers and merchants collaborate to prevent these scames? Let’s find out.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 10 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- What is Synthetic Identity Theft? How Can Merchants Stop it?
- Increase in Fraud in APAC Highlights Need for Solutions
- What is SIM Swapping Fraud & How Does It Work?
What is a BIN Attack?
- BIN Attack
A BIN attack occurs where a scammer sets a BIN (or “Banking Identification Number”) in place, then cycles through random numbers, trying to guess a valid combination of a 16-digit credit card number, expiration date, and CVV number.
[noun]/bin • uh • tak/Pull out your wallet and look at the 16-digit number on the card face. The first six digits of that number are the BIN, or “Banking Identification Number.” This number identifies the bank that issued the card. Not all cards issued by that bank will have the same BIN; some banks, like Bank of America for example, are big enough to have multiple BINs. That said, all cards with a matching BIN will be issued by the same bank.
Learn more about BIN codesWith a BIN attack, the scammer takes a “brute force” approach to identity theft. They set the BIN in place, then just cycle through random numbers until they find a combination that works.
BIN attacks are very similar to, but not quite the same as card testing fraud. A BIN attack targets account numbers to “crack” the user’s credit card information with automated software. Card testing, on the other hand, is generally a by-product of a successful BIN attack. Once a card has been determined active, it can then be tested to determine if it can be used to commit other acts of fraud.
Yes, it's primitive. But, with the benefit of bot technology, fraudsters can cycle through hundreds or thousands of combinations in seconds. Thus, randomized BIN attacks can be very effective.
How Does a BIN Attack Work?
So, how do scammers actually go about conducting a BIN attack? Here’s a general overview of the steps in the process:
- A scammer selects the BIN code for their targeted bank. These numbers are accessible to the public, making them relatively easy to obtain.
- By deploying specialized software like auto-dialers, the scammer can randomly generate thousands of potential card numbers associated with the targeted bank BIN.
- The next step involves validating these credentials. The scam artist finds a suitable online retailer or donation page for this purpose.
- Card testing commences. The fraudster, typically employing bots to automate the process, makes repeated small purchase attempts using each newly generated card number.
- The fraudster keeps a record of any card details which generated a successful transaction. These valid numbers can be exploited for additional fraudulent transactions.
Bear in mind that the card number and CVV number must match. If these details are incorrect, the transaction will most likely be rejected.
This will naturally result in a surge of unusual activity for the merchant. Many merchants impose velocity limits to block sudden surges of suspicious activity. To combat this, scammers might involve multiple online retailers and services as part of a single BIN attack.
How BIN Attacks Affect Banks, Merchants, & Customers
BIN attack scams have detrimental effects on everyone involved in a transaction. Some of the impacts each can expect include:
10 Ways Consumers Can Protect Themselves from BIN Attacks
Unfortunately, there isn’t much that can be done to keep a bot from guessing one’s credit card number. So long as these tools exist, they will be used by fraudsters for nefarious purposes. Plus, there’s almost no way for consumers to know when they’ve been targeted until it’s too late.
This doesn’t mean the average consumer is totally defenseless, though. There’s no reason to make it “easy” for scammers, after all.
Consumers should vigilantly monitor their accounts and protect their personal data to guard against BIN attacks, card testing fraud, and other threats. To that end, there are a few strategies consumers can deploy to keep their accounts safe:
#1 | Regular Monitoring
Regularly check bank and credit card statements for any unauthorized charges. Even small transactions can be an indication of card testing.
#2 | Alerts & Notifications
Set up transaction alerts with banks and credit card providers. This means you get notified for every transaction, allowing you to catch any unauthorized activity quickly.
#3 | Secure Networks
Only use secure and private internet connections when making online transactions. Avoid public Wi-Fi networks when entering card details. Also, make sure only to provide card details on secure websites. Look for the padlock symbol and “https” in the website's URL, which signifies a secure connection.
#4 | Credit Locks
Some banks offer the ability to lock and unlock one’s card through their mobile app. If a cardholder is not planning on using their card for a period of time, keeping it locked could add an extra layer of security.
#5 | Strong Passwords
Use strong, unique passwords for all online banking and shopping accounts. A strong password includes a mix of upper and lower-case letters, numbers, and special characters. Avoid easily guessable information like a birth date or pet's name.
#6 | Two-Factor Authentication
Use two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring a second form of verification, usually a text message or an email, in addition to a password.
#7 | Secure Payment Services
Consider using secure payment services such as Apple Pay or Google Pay. These services hide your actual card number from the retailer, adding another layer of protection. Plus, most natively support 2FA tools like biometric authentication.
#8 | Regular Software Updates
Ensure that all one’s devices and security software are up-to-date. Updates often include patches for security vulnerabilities that could be exploited by fraudsters.
#9 | Regular Credit Checks
Regularly review credit reports for any suspicious activity. All credit users are entitled to one free report per year from each of the three major credit bureaus (Equifax, TransUnion, and Experian).
#10 | Be Aware of Phishing Scams
Be cautious of emails, texts, or phone calls asking for personal or financial information. These could be phishing attempts. Always verify the source before giving out information.
Adhering to these practices can help consumers significantly reduce the risks of falling victim to BIN attacks and card testing fraud.
BIN attack prevention is a slightly more complex and involved process for merchants and financial institutions, though, as we’ll see below.
How to Detect a BIN Attack
Generally speaking, detecting a BIN attack involves identifying unusual patterns of credit card transactions. While it may not always be possible to prevent a BIN attack, timely detection can go a long way to mitigate potential damage.
Here are a few ways merchants can spot a BIN attack:
- Unusually Small Transactions: Look for numerous small transactions, especially from the same source. This suggests card testing.
- High Number of Declined Transactions: A sudden surge in the number of declined transactions could indicate a BIN attack, as fraudsters often have to try many numbers before finding a valid card.
- Repeated Transactions from the Same IP Address: Multiple attempts from the same IP address, particularly if many of them are declined.
- Rapid Succession of Transactions: A high number of transactions are attempted in rapid succession.
- Geographic Inconsistencies: Transactions are coming from an IP address in one country, but the cards being used are issued in another.
- Multiple Cards from the Same BIN: Seeing multiple transaction attempts, all using different cards but having the same BIN and with similar products.
- Unusual Time of Transactions: Transactions are attempted at odd hours when normal card usage is low.
- Suspicious Merchant Account Behavior: Multiple transaction attempts followed by an unusually high chargeback ratio on a particular merchant account.
- Abnormal Transaction Volumes: A sudden surge in the number of transactions or total transaction value.
- Incomplete Cardholder Information: Transactions are being attempted with incomplete or incorrect cardholder information. This includes the CVV number, the expiration date, or the address details.
If any of these signs are detected, the appropriate parties should be alerted immediately to help prevent further fraudulent activity.
10 Ways Merchants Can Prevent BIN Attacks
Now that we have a good idea of what to look for and how to spot a potential attack, let’s talk about how we can use this information to help prevent a BIN attack from happening in the first place.
Fortunately, businesses have various tools at their disposal to counteract BIN attacks. Let's examine ten strategies businesses can use to fend off BIN attacks:
no system is 100% foolproof. However, by being proactive and implementing multiple security measures, businesses can significantly reduce their risk of falling victim to BIN attacks and card testing fraud.
Multifaceted Strategies Work Best
Merchants should keep in mind that preventing BIN attacks and card testing fraud is only part of the battle.
A multifaceted fraud prevention strategy is the only truly effective approach. This will enable merchants to detect criminal activity like BIN attacks, as well as first-party threats like friendly fraud, while also streamlining the payment process.
Looking to improve your fraud prevention efforts and also limit your exposure to other sources of loss? Chargebacks911® can help. By combining advanced fraud detection techniques with comprehensive chargeback management strategies, merchants can get back to focusing on what matters most: growing the business and serving their customers.
FAQs
What is a brute force BIN attack?
The first six digits on a credit card represent the bank identification number. During a BIN (or “Banking Identification Number”) attack, a “brute force” method is used to try and decipher a valid mix of credit card number, expiration date, and CVV number.
A BIN attack occurs where a scammer sets a BIN in place, then cycles through random numbers, trying to guess a valid combination of a 16-digit credit card number, expiration date, and CVV number.
What is the solution to BIN attacks?
From a merchant’s standpoint, the most important practice is to deploy velocity limits to block card testing, plus tools aimed at detecting bot activity.
There isn’t really any way for consumers to stop people or machines from randomly guessing credit card combinations. That said, if consumers concentrate on keeping updated and informed about their financial health and security, they are far more likely to catch a BIN attack before it does serious damage to their finances.
What does BIN mean in credit cards?
“BIN” stands for “Banking Identification Number.” The first six digits of the 16-digit account number printed on the face of a credit or debit card are the BIN. This number identifies the bank which issued the card in question.
What is the difference between card testing and BIN attack?
BIN attacks are very similar to, but not quite the same as card testing fraud. A BIN attack targets account numbers to “crack” the user’s credit card information with automated software. Card testing, on the other hand, is generally a by-product of a successful BIN attack. Once a card has been determined active, it can then be tested to determine if it can be used to commit other acts of fraud.
How do you read a BIN on a card?
A BIN number is typically represented by the first six numbers on a cardholder’s credit or debit card.