BIN AttackHow to Stop “Card Crackers” Before It’s Too Late

20 tips for Consumers & Merchants to Fight Back Against BIN Attacks & Card Testing Fraud

Americans lost $8.8 billion in 2022 due to credit card fraud, according to new data published by the FTC. This covers attacks involving a lot of different tactics. However, one specific technique known as a BIN attack has become a standout issue in the last couple of years. 

Criminals engaging in BIN attacks use a “brute force” method. This involves systematically guessing all possible combinations of credit card details, typically using a bot network to do so, until they find a valid account number. Once they do, they can then use that information to commit all kinds of fraud in the cardholder’s name. 

So, what is a BIN attack exactly? How can consumers and merchants collaborate to prevent these scames? Let’s find out.

What is a BIN Attack?

BIN Attack

[noun]/bin • uh • tak/

A BIN attack occurs where a scammer sets a BIN (or “Banking Identification Number”) in place, then cycles through random numbers, trying to guess a valid combination of a 16-digit credit card number, expiration date, and CVV number.

Pull out your wallet and look at the 16-digit number on the card face. The first six digits of that number are the BIN, or “Banking Identification Number.” This number identifies the bank that issued the card. Not all cards issued by that bank will have the same BIN; some banks, like Bank of America for example, are big enough to have multiple BINs. That said, all cards with a matching BIN will be issued by the same bank.

Learn more about BIN codes

With a BIN attack, the scammer takes a “brute force” approach to identity theft. They set the BIN in place, then just cycle through random numbers until they find a combination that works.

BIN attacks are very similar to, but not quite the same as card testing fraud. A BIN attack targets account numbers to “crack” the user’s credit card information with automated software. Card testing, on the other hand, is generally a by-product of a successful BIN attack. Once a card has been determined active, it can then be tested to determine if it can be used to commit other acts of fraud. 

Yes, it's primitive. But, with the benefit of bot technology, fraudsters can cycle through hundreds or thousands of combinations in seconds. Thus, randomized BIN attacks can be very effective.

How Does a BIN Attack Work?

So, how do scammers actually go about conducting a BIN attack? Here’s a general overview of the steps in the process:

• A scammer selects the BIN code for their targeted bank. These numbers are accessible to the public, making them relatively easy to obtain.
• By deploying specialized software like auto-dialers, the scammer can randomly generate thousands of potential card numbers associated with the targeted bank BIN.
• The next step involves validating these credentials. The scam artist finds a suitable online retailer or donation page for this purpose.
• Card testing commences. The fraudster, typically employing bots to automate the process, makes repeated small purchase attempts using each newly generated card number.
• The fraudster keeps a record of any card details which generated a successful transaction. These valid numbers can be exploited for additional fraudulent transactions.

Bear in mind that the card number and CVV number must match. If these details are incorrect, the transaction will most likely be rejected.

This will naturally result in a surge of unusual activity for the merchant. Many merchants impose velocity limits to block sudden surges of suspicious activity. To combat this, scammers might involve multiple online retailers and services as part of a single BIN attack.

How BIN Attacks Affect Banks, Merchants, & Customers

BIN attack scams have detrimental effects on everyone involved in a transaction. Some of the impacts each can expect include:

10 Ways Consumers Can Protect Themselves from BIN Attacks

Unfortunately, there isn’t much that can be done to keep a bot from guessing one’s credit card number. So long as these tools exist, they will be used by fraudsters for nefarious purposes. Plus, there’s almost no way for consumers to know when they’ve been targeted until it’s too late.

This doesn’t mean the average consumer is totally defenseless, though. There’s no reason to make it “easy” for scammers, after all.

Consumers should vigilantly monitor their accounts and protect their personal data to guard against BIN attacks, card testing fraud, and other threats. To that end, there are a few strategies consumers can deploy to keep their accounts safe:

#1 |  Regular Monitoring

Regularly check bank and credit card statements for any unauthorized charges. Even small transactions can be an indication of card testing.

#2 |  Alerts & Notifications

Set up transaction alerts with banks and credit card providers. This means you get notified for every transaction, allowing you to catch any unauthorized activity quickly.

#3 |  Secure Networks

Only use secure and private internet connections when making online transactions. Avoid public Wi-Fi networks when entering card details. Also, make sure only to provide card details on secure websites. Look for the padlock symbol and “https” in the website's URL, which signifies a secure connection.

#4 |  Credit Locks

Some banks offer the ability to lock and unlock one’s card through their mobile app. If a cardholder is not planning on using their card for a period of time, keeping it locked could add an extra layer of security.

#5 |  Strong Passwords

Use strong, unique passwords for all online banking and shopping accounts. A strong password includes a mix of upper and lower-case letters, numbers, and special characters. Avoid easily guessable information like a birth date or pet's name.

#6 |  Two-Factor Authentication

Use two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security by requiring a second form of verification, usually a text message or an email, in addition to a password.

#7 |  Secure Payment Services

Consider using secure payment services such as Apple Pay or Google Pay. These services hide your actual card number from the retailer, adding another layer of protection. Plus, most natively support 2FA tools like biometric authentication.

#8 |  Regular Software Updates

Ensure that all one’s devices and security software are up-to-date. Updates often include patches for security vulnerabilities that could be exploited by fraudsters.

#9 |  Regular Credit Checks

Regularly review credit reports for any suspicious activity. All credit users are entitled to one free report per year from each of the three major credit bureaus (Equifax, TransUnion, and Experian).

#10 |  Be Aware of Phishing Scams

Be cautious of emails, texts, or phone calls asking for personal or financial information. These could be phishing attempts. Always verify the source before giving out information.

Adhering to these practices can help consumers significantly reduce the risks of falling victim to BIN attacks and card testing fraud.

BIN attack prevention is a slightly more complex and involved process for merchants and financial institutions, though, as we’ll see below.

How to Detect a BIN Attack

Generally speaking, detecting a BIN attack involves identifying unusual patterns of credit card transactions. While it may not always be possible to prevent a BIN attack, timely detection can go a long way to mitigate potential damage. 

Here are a few ways merchants can spot a BIN attack:

• Unusually Small Transactions: Look for numerous small transactions, especially from the same source. This suggests card testing.
• High Number of Declined Transactions: A sudden surge in the number of declined transactions could indicate a BIN attack, as fraudsters often have to try many numbers before finding a valid card.
• Repeated Transactions from the Same IP Address: Multiple attempts from the same IP address, particularly if many of them are declined.
• Rapid Succession of Transactions: A high number of transactions are attempted in rapid succession.
• Geographic Inconsistencies: Transactions are coming from an IP address in one country, but the cards being used are issued in another.
• Multiple Cards from the Same BIN: Seeing multiple transaction attempts, all using different cards but having the same BIN and with similar products.
• Unusual Time of Transactions: Transactions are attempted at odd hours when normal card usage is low.
• Suspicious Merchant Account Behavior: Multiple transaction attempts followed by an unusually high chargeback ratio on a particular merchant account.
• Abnormal Transaction Volumes: A sudden surge in the number of transactions or total transaction value.
• Incomplete Cardholder Information: Transactions are being attempted with incomplete or incorrect cardholder information. This includes the CVV number, the expiration date, or the address details.

If any of these signs are detected, the appropriate parties should be alerted immediately to help prevent further fraudulent activity.

10 Ways Merchants Can Prevent BIN Attacks

Now that we have a good idea of what to look for and how to spot a potential attack, let’s talk about how we can use this information to help prevent a BIN attack from happening in the first place. 

Fortunately, businesses have various tools at their disposal to counteract BIN attacks. Let's examine ten strategies businesses can use to fend off BIN attacks:

Multifaceted Strategies Work Best

Merchants should keep in mind that preventing BIN attacks and card testing fraud is only part of the battle.

A multifaceted fraud prevention strategy is the only truly effective approach. This will enable merchants to detect criminal activity like BIN attacks, as well as first-party threats like friendly fraud, while also streamlining the payment process. 

Looking to improve your fraud prevention efforts and also limit your exposure to other sources of loss? Chargebacks911® can help. By combining advanced fraud detection techniques with comprehensive chargeback management strategies, merchants can get back to focusing on what matters most: growing the business and serving their customers.