Brute-force BIN attacks are a type of credit and debit card fraud that creates headaches for many. The good news, however, is that merchants have a unique advantage in terms of fighting back – and reducing risk for everyone.
When it comes to swiping other people’s credit and debit card information, criminals have a ton of clever tricks up their sleeves. Like the card skimmers they love to install on digital payment machines. Or the unsecure public Wi-Fi networks they exploit to breach users’ devices. And who could forget the good old-fashioned pickpocket approach, a timeless classic.
Indeed, from phishing emails and text messages to scam calls to dumpster dives and everything in between, fraudsters have truly ran the gamut to get their greedy hands on victims’ hard-earned money. It’s created problems for consumers, businesses and banks alike. But there’s a newer, more sophisticated technique that reigns supreme above the rest – a different kind of animal entirely – and it’s taking the world by brute force.
So, what is a BIN attack? We’re glad you asked! A BIN attack, or “BIN scamming,” is a technique hackers use to systematically piece together payment card information on a mass scale. Through trial and error, they use a “brute force” computer algorithm that can process thousands of cards in seconds. Criminals sift through variations of account numbers, expiration dates and security codes (CVV) until – BINGO! They have a promising combination.
The worst part? All scammers need to get started are the first four to six digits that identify a card’s issuing bank and network – AKA the banking identification number (BIN) – which is technically public information. From there, all bets are off until hackers suddenly make off with the funds. That’s the beef with BIN attacks: Unlike other forms of fraud, they’re extremely tough to detect and block in real time.
But they have weaknesses. Putting a lid on randomized BIN attacks – that is, to detect them earlier and lessen their impact – starts with understanding how they work, so proper mitigation measures can be set up. Unfortunately and unfairly, in this case, those in the best position to act are merchants.
Once a fraudster has secured a host of card portfolios, they’ll do what criminals do best: spend, spend, spend. But probably not in the way one would think, at least not at first. They’ll start small because it’s in their best interest to do so. Using “card testing,” criminals will remotely initiate multiple microtransactions to weed out working cards. To make matters even worse, they’ll often make a single merchant their Guinea pig – and an unwitting accomplice in the process.
From there, it’s a race against the clock. Hackers will likely either: 1) take their successful card credentials and proceed to spend in larger amounts until the money runs out or the fraud is detected by a cardholder or supporting financial institution; or 2) sell the card information on the dark web. Either way, it’s bad news for merchants, consumers and banks. Here’s why:
There are many reasons why merchants get miffed when hit with BIN attacks. As mentioned previously, they’re often on the front lines of the insurgence, facing a barrage of uncontrollable test transactions. This can lead to reputation damage, for one, and even strained relationships with business partners or financial institutions that may see them as a liability. There could even be regulatory ramifications.
BIN attacks could also result in an explosion of interchange fees, which are the dues merchants pay for a bank’s acceptance of card-based transactions. As a result, they may have to pay even more to simply dispute these fees. Not to mention, merchants may also get hit with increased chargebacks, which is when a charge is repaid to a card in the event a customer successfully disputes a transaction.
Cardholders feel the pain, too, especially in the form of wasted time. Becoming the target of a BIN attack means they have to contact their financial institution to try to recover their money and get new credentials. Additionally, like merchants, consumers often have zero control over this type of attack, which ushers in a sense of helplessness and anxiety.
At the end of the day, when credit and debit card scams result in missing funds, card issuers usually take the hit, financially. And, depending on the amount lost, initiating a dispute usually isn’t worth the trouble. Like merchants, banks can suffer undeserved reputational damage, as well, which ultimately impacts consumer trust.
Partnering with a bank that not only empathizes with those targeted by a BIN attack – but goes the extra mile to deter and detect crime in the first place – is a smart move. Gate City Bank, for example, continuously monitors accounts and sends out real-time fraud alerts, which brings peace of mind.
Ready for the best news? At the end of the day, fraud doesn’t have to get the final word. There are ways to fight back – and the BINsters won’t even see it coming.
Merchants (and everyone else!) are anything but powerless in the battle against credit and debit card fraud. Here are five helpful ways to counteract brute-force BIN attacks:
When learning how to prevent fraud of any kind, there’s often no school like the old school. Manually monitoring accounts – and often – is key for spotting red flags. This is especially true for BIN attacks.
In a nutshell, merchants should be on the lookout for a high volume of small transactions within a short amount of time, as well as recurring account numbers using different expiration dates – in other words, a con’s cocktail. Declined transactions due to incomplete cardholder information and CVV authorization errors are also suspicious, as are multiple transactions coming from the same IP address.
Location is another important factor to consider. For example, if an IP address originates in one country but uses cards issued in another, that could be a sign of fraud. Timing is telling, too. If transactions are attempted at odd hours, unlike normal card traffic, it could spell trouble.
Merchants have access to many tools that can help with mitigating BIN attacks. Velocity-checking software is a big one, automatically serving as a second set of eyes for monitoring how often certain transaction anomalies occur. CAPTCHA software is another – because it helps distinguish whether a user is human or a mere computer bot. A tool associated with artificial intelligence, CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.”
Additionally, user and address verification are handy ways to foil the fraudsters. In that same vein, by using certified payment gateways, merchants have access to CVV-matching capabilities, which can stop criminals in their tracks early on.
Two-factor authentication (2FA) is yet another useful arrow in merchants’ anti-fraud quiver, and is proving to be a true seller’s stronghold. It offers a secondary layer of protection when identifying a cardholder’s identity before they’re allowed to make a purchase.
In addition to knowing what BIN attack signs to look for and what tools to use, business owners should pass that knowledge on to their staff members. By doing so, they’ll up the ante as vigilantes, fending off credit and debit card fraud left and right – and in a timely fashion.
This simple yet effective approach essentially puts a cap on how much can be charged to a card within a specific time frame, which, to some extent, makes fraudsters’ nefarious attempts pointless – at least when they’re targeting a single merchant.
Similar to tip #4, since the whole idea behind BIN attacks is for criminals to sneak in as many fraudulent transactions as possible in a short amount of time, it makes sense to limit the number of transactions within a certain time period. Once fraudsters reach the threshold, cut them off!
While it’s impossible to prevent fraudsters from attempting BIN attacks outright, there are opportunities to hinder their efforts. By following the helpful best practices laid out in this article, merchants and other targets can be in a better position to prevent fraud and reduce risk.
A GREAT place to start: Partner with a bank that understands the unfortunate reality of BIN attacks, empathizes with victims and has robust security features in place to get out in front of fraud. Gate City Bank, for example, makes it incredibly easy to set up helpful card controls and receive fraud alerts in real time.
If you haven’t been able to tell, nipping fraud in the bud is kind of our thing. So when a BIN attack rears its ugly head, turn to a bank you can trust – For a Better Way of Life.®
Credit card vs. debit card: Which is the safest spend? Learn more about how they compare to make the best spending decisions.
Some criminals would love nothing more than to get ahold of your personal financial information. Scams and identity theft are on the rise, so check out these six ways to protect yourself against fraud!
If an email, text or phone call requesting sensitive personal information ever feels off, it’s important to follow that gut feeling. It could be a phishing attempt! Check out our four tips for avoiding this common type of fraud.