BIN AttackHow to Stop “Card Crackers” Before It’s Too Late

June 20, 2023 | 13 min read

This image was created by artificial intelligence using the following prompts:

A credit card broken in half with an image on white, in the style of accurate and detailed, red and teal.

BIN Attacks

In a Nutshell

Just like many businesses and banks, credit card fraud is looking to automate. BIN attacks are the next big thing in fraud. Are you prepared to fight back? This article will explain everything both consumers and merchants need to know to protect themselves or their businesses from BIN attacks and card testing fraud.

20 tips for Consumers & Merchants to Fight Back Against BIN Attacks & Card Testing Fraud

Americans lost $8.8 billion in 2022 due to credit card fraud, according to new data published by the FTC. This covers attacks involving a lot of different tactics. However, one specific technique known as a BIN attack has become a standout issue in the last couple of years. 

Criminals engaging in BIN attacks use a “brute force” method. This involves systematically guessing all possible combinations of credit card details, typically using a bot network to do so, until they find a valid account number. Once they do, they can then use that information to commit all kinds of fraud in the cardholder’s name. 

So, what is a BIN attack exactly? How can consumers and merchants collaborate to prevent these scames? Let’s find out.

What is a BIN Attack?

BIN Attack

[noun]/bin • uh • tak/

A BIN attack occurs where a scammer sets a BIN (or “Banking Identification Number”) in place, then cycles through random numbers, trying to guess a valid combination of a 16-digit credit card number, expiration date, and CVV number.

Pull out your wallet and look at the 16-digit number on the card face. The first six digits of that number are the BIN, or “Banking Identification Number.” This number identifies the bank that issued the card. Not all cards issued by that bank will have the same BIN; some banks, like Bank of America for example, are big enough to have multiple BINs. That said, all cards with a matching BIN will be issued by the same bank.

Learn more about BIN codes

With a BIN attack, the scammer takes a “brute force” approach to identity theft. They set the BIN in place, then just cycle through random numbers until they find a combination that works.

BIN attacks are very similar to, but not quite the same as card testing fraud. A BIN attack targets account numbers to “crack” the user’s credit card information with automated software. Card testing, on the other hand, is generally a by-product of a successful BIN attack. Once a card has been determined active, it can then be tested to determine if it can be used to commit other acts of fraud. 

Yes, it's primitive. But, with the benefit of bot technology, fraudsters can cycle through hundreds or thousands of combinations in seconds. Thus, randomized BIN attacks can be very effective.

How Does a BIN Attack Work?

So, how do scammers actually go about conducting a BIN attack? Here’s a general overview of the steps in the process:

  • A scammer selects the BIN code for their targeted bank. These numbers are accessible to the public, making them relatively easy to obtain.
  • By deploying specialized software like auto-dialers, the scammer can randomly generate thousands of potential card numbers associated with the targeted bank BIN.
  • The next step involves validating these credentials. The scam artist finds a suitable online retailer or donation page for this purpose.
  • Card testing commences. The fraudster, typically employing bots to automate the process, makes repeated small purchase attempts using each newly generated card number.
  • The fraudster keeps a record of any card details which generated a successful transaction. These valid numbers can be exploited for additional fraudulent transactions.
Defeat new fraud tactics and protect your revenue from scammers.REQUEST A DEMO

Bear in mind that the card number and CVV number must match. If these details are incorrect, the transaction will most likely be rejected.

This will naturally result in a surge of unusual activity for the merchant. Many merchants impose velocity limits to block sudden surges of suspicious activity. To combat this, scammers might involve multiple online retailers and services as part of a single BIN attack.

How BIN Attacks Affect Banks, Merchants, & Customers

BIN attack scams have detrimental effects on everyone involved in a transaction. Some of the impacts each can expect include:

Banks

Lost Funds: Rather than initiating a dispute for a low-value transaction, many banks will “write off” losses. These can add up quickly, depending on the scale of the attack.

Reputational Damage: Even if there’s nothing a bank can do to stop a BIN attack, a high-profile incident may still strain the institution’s relations with cardholders.

Merchants

Strained Relations With Banks: Banks may identify a merchant’s shop as a “soft target” for testing additional fraudulent cards, impacting future collaboration.

Reputational Damage: If a merchant is tied to a BIN attack, cardholders might spot a shop's name on their bank statement and forever link it with fraudulent activity.

Chargebacks: Depending on the dollar value and extent of the attack, merchants may get hit with chargebacks resulting from invalid transactions.

Customers

Wasted Time: Cardholders who identify a BIN attack must contact the bank and navigate through the procedures to recover their money.

Aggravation: Unlike other forms of fraud, such as card skimming, customers have no control over this type of attack, no matter how vigilant they are.

10 Ways Consumers Can Protect Themselves from BIN Attacks

Unfortunately, there isn’t much that can be done to keep a bot from guessing one’s credit card number. So long as these tools exist, they will be used by fraudsters for nefarious purposes. Plus, there’s almost no way for consumers to know when they’ve been targeted until it’s too late.

This doesn’t mean the average consumer is totally defenseless, though. There’s no reason to make it “easy” for scammers, after all.

Consumers should vigilantly monitor their accounts and protect their personal data to guard against BIN attacks, card testing fraud, and other threats. To that end, there are a few strategies consumers can deploy to keep their accounts safe:

#1 Regular Monitoring

Regularly check bank and credit card statements for any unauthorized charges. Even small transactions can be an indication of card testing.

#2 Alerts & Notifications

Set up transaction alerts with banks and credit card providers. This means you get notified for every transaction, allowing you to catch any unauthorized activity quickly.

#3 Secure Networks

Only use secure and private internet connections when making online transactions. Avoid public Wi-Fi networks when entering card details. Also, make sure only to provide card details on secure websites. Look for the padlock symbol and “https” in the website's URL, which signifies a secure connection.

#4 Credit Locks

Some banks offer the ability to lock and unlock one’s card through their mobile app. If a cardholder is not planning on using their card for a period of time, keeping it locked could add an extra layer of security.

#5 Strong Passwords

Use strong, unique passwords for all online banking and shopping accounts. A strong password includes a mix of upper and lower-case letters, numbers, and special characters. Avoid easily guessable information like a birth date or pet's name.

#6 Two-Factor Authentication

Use two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring a second form of verification, usually a text message or an email, in addition to a password.

#7 Secure Payment Services

Consider using secure payment services such as Apple Pay or Google Pay. These services hide your actual card number from the retailer, adding another layer of protection. Plus, most natively support 2FA tools like biometric authentication.

#8 Regular Software Updates

Ensure that all one’s devices and security software are up-to-date. Updates often include patches for security vulnerabilities that could be exploited by fraudsters.

#9 Regular Credit Checks

Regularly review credit reports for any suspicious activity. All credit users are entitled to one free report per year from each of the three major credit bureaus (Equifax, TransUnion, and Experian).

#10 Be Aware of Phishing Scams

Be cautious of emails, texts, or phone calls asking for personal or financial information. These could be phishing attempts. Always verify the source before giving out information.

Save time. Recover revenue. Prevent chargebacks.REQUEST A DEMO

Adhering to these practices can help consumers significantly reduce the risks of falling victim to BIN attacks and card testing fraud.

BIN attack prevention is a slightly more complex and involved process for merchants and financial institutions, though, as we’ll see below.

How to Detect a BIN Attack

Generally speaking, detecting a BIN attack involves identifying unusual patterns of credit card transactions. While it may not always be possible to prevent a BIN attack, timely detection can go a long way to mitigate potential damage. 

Here are a few ways merchants can spot a BIN attack:

  • Unusually Small Transactions: Look for numerous small transactions, especially from the same source. This suggests card testing.
  • High Number of Declined Transactions: A sudden surge in the number of declined transactions could indicate a BIN attack, as fraudsters often have to try many numbers before finding a valid card.
  • Repeated Transactions from the Same IP Address: Multiple attempts from the same IP address, particularly if many of them are declined.
  • Rapid Succession of Transactions: A high number of transactions are attempted in rapid succession.
  • Geographic Inconsistencies: Transactions are coming from an IP address in one country, but the cards being used are issued in another.
  • Multiple Cards from the Same BIN: Seeing multiple transaction attempts, all using different cards but having the same BIN and with similar products.
  • Unusual Time of Transactions: Transactions are attempted at odd hours when normal card usage is low.
  • Suspicious Merchant Account Behavior: Multiple transaction attempts followed by an unusually high chargeback ratio on a particular merchant account.
  • Abnormal Transaction Volumes: A sudden surge in the number of transactions or total transaction value.
  • Incomplete Cardholder Information: Transactions are being attempted with incomplete or incorrect cardholder information. This includes the CVV number, the expiration date, or the address details.

If any of these signs are detected, the appropriate parties should be alerted immediately to help prevent further fraudulent activity.

10 Ways Merchants Can Prevent BIN Attacks

Now that we have a good idea of what to look for and how to spot a potential attack, let’s talk about how we can use this information to help prevent a BIN attack from happening in the first place. 

Fortunately, businesses have various tools at their disposal to counteract BIN attacks. Let's examine ten strategies businesses can use to fend off BIN attacks:

Leverage Fraud Detection Software

Utilizing software designed to pinpoint questionable transactions and patterns can provide an early warning system for BIN attacks, allowing for proactive measures.

Invest in a Bot-Management Solution

Services targeted at detecting and flagging bot activity can help guard eCommerce sites from cyber threats, and also improve conversion rates in the process.

Adopt Multi-Factor Authentication (MFA)

Implementing MFA adds an extra security layer to transactions, complicating the task for cybercriminals trying to execute BIN attacks.

Incorporate Address Verification

Address verification aids in ensuring that the person executing a transaction is indeed the genuine cardholder. This is achieved by matching the billing address given by the cardholder with the one on the credit card issuer's records.

Train Employees

Employees should be equipped with the knowledge to identify and report suspicious activities. Furthermore, they should be familiar with proper transaction procedures to decrease fraud risks.

Establish Card Limits

Setting caps on how much can be charged to a card within a specific time frame can deter fraudsters from making large unauthorized purchases.

Use Decline Thresholds

By blocking a user after a certain number of declined attempts, businesses can stop potential fraudsters in their tracks.

Implement CAPTCHA

CAPTCHA, a system that verifies a user as human, can be a powerful tool in deterring automated technologies like those employed in BIN attacks.

Biometric Authentication

Encouraging fingerprint or facial recognition-enabled payment options like Apple Pay can add another layer of security to transactions.

Chargeback Analytics

A sudden spike in chargebacks (when customers contest a credit card charge) can be a red flag indicating potential BIN attacks or card testing. Chargeback analytics can be beneficial in recognizing these attacks.

Remember!

no system is 100% foolproof. However, by being proactive and implementing multiple security measures, businesses can significantly reduce their risk of falling victim to BIN attacks and card testing fraud.

Multifaceted Strategies Work Best

Merchants should keep in mind that preventing BIN attacks and card testing fraud is only part of the battle.

A multifaceted fraud prevention strategy is the only truly effective approach. This will enable merchants to detect criminal activity like BIN attacks, as well as first-party threats like friendly fraud, while also streamlining the payment process. 

Looking to improve your fraud prevention efforts and also limit your exposure to other sources of loss? Chargebacks911® can help. By combining advanced fraud detection techniques with comprehensive chargeback management strategies, merchants can get back to focusing on what matters most: growing the business and serving their customers.

FAQs

What is a brute force BIN attack?

The first six digits on a credit card represent the bank identification number. During a BIN (or “Banking Identification Number”) attack, a “brute force” method is used to try and decipher a valid mix of credit card number, expiration date, and CVV number.

A BIN attack occurs where a scammer sets a BIN in place, then cycles through random numbers, trying to guess a valid combination of a 16-digit credit card number, expiration date, and CVV number.

What is the solution to BIN attacks?

From a merchant’s standpoint, the most important practice is to deploy velocity limits to block card testing, plus tools aimed at detecting bot activity.

There isn’t really any way for consumers to stop people or machines from randomly guessing credit card combinations. That said, if consumers concentrate on keeping updated and informed about their financial health and security, they are far more likely to catch a BIN attack before it does serious damage to their finances.

What does BIN mean in credit cards?

“BIN” stands for “Banking Identification Number.” The first six digits of the 16-digit account number printed on the face of a credit or debit card are the BIN. This number identifies the bank which issued the card in question.

What is the difference between card testing and BIN attack?

BIN attacks are very similar to, but not quite the same as card testing fraud. A BIN attack targets account numbers to “crack” the user’s credit card information with automated software. Card testing, on the other hand, is generally a by-product of a successful BIN attack. Once a card has been determined active, it can then be tested to determine if it can be used to commit other acts of fraud.

How do you read a BIN on a card?

A BIN number is typically represented by the first six numbers on a cardholder’s credit or debit card.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
triangle shape background particle triangle shape background particle triangle shape background particle
Please share a few details and we'll connect with you!
Revenue Recovery icon
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard