BIN attacks: What they are and how to protect yourself
8 min read
Banking identification number (BIN) attacks are a type of credit card fraud that attackers use to gain access to a card and make unauthorized purchases from it. In some cases, attackers can even use the card information to steal your identity. This makes it a crucial risk to watch out for. Here’s how to successfully identify if you’re experiencing a BIN attack (either as a customer or a merchant) and how to prevent it.
Contents
What is a BIN attack?
A BIN attack involves taking the first six to eight digits found on every debit or credit card (the bank identification number) and guessing the remaining details to gain access to a card. The purpose of BINs is simple: to identify the credit card issuer (usually a bank) during transactions so they can stop credit card fraud. But to a determined attacker, these digits can be the gateway toward payment card fraud.
A BIN attack isn’t the only type of credit card fraud that people should watch out for. However, this type of attack is becoming more common since it’s theoretically easier and cheaper to carry out than other types of fraud. And because most credit card users aren’t aware of or actively protecting themselves against BIN attacks, it becomes an even more attractive avenue for criminals to exploit.
How does this type of credit card fraud work?
BIN attacks involve three specific steps: collection, generation, and testing. The process is relatively simple, and almost anyone with the right setup can do it. However, a BIN attack is more commonly conducted by criminal organizations and groups specifically dedicated to this type of fraud.
- Card collection: An attacker will try to generate a card by using the BIN of a specific bank by setting the first 6 to 8 numbers, which are usually publicly available. They then use bots/software to generate the rest of the card number and other details, like the CVV code (card verification value).
- Card validation: Once the brute force method has worked, the attacker will validate the cards by looking for merchants to make purchases from. These purchases are usually small enough to go through and not be immediately flagged for suspicious activity.
- Card testing: With repeated and small purchases, the attacker attempts to confirm their cracked cards. If a successful transaction occurs, the card is considered as “cracked” and the attack moves on to the rest of the brute-forced cards from their collection.
Once an attacker has gone through all three steps, they store a cracked card in a database to be sold off to the highest bidder. Alternatively, they can use it themselves to start making purchases in your name. If the issue continues to go unaddressed, your card can also be used to authorize other fraudulent transactions in your name, inflicting even more damage.
In theory, brute force attacks on card information are more trouble than they’re worth — it’s roughly “guessing” a bank identification number plus the rest of a 16-digit sequence. But with technology like number generators and other ways to refine an attack, hackers have increasingly turned to BIN attacks for personal gain.
The reason why more people have become victims of BIN attack fraud is that technology has gotten better at enabling these attacks. Previously, these attacks would have to be conducted manually or take plenty of time and effort. With today’s number generators and botnets, a successful attack can take place in days or hours.
Impact of BIN attacks
The damage from a credit card BIN attack isn’t limited to the person whose card was stolen. Everyone involved in the financial process is also badly affected. Here’s how these attacks can impact all parties involved:
Customers
Aside from financial loss, customers who have experienced BIN attacks are also at risk of identity theft. Depending on their credit card usage (and the issuing bank), attackers can also use credit card information to impersonate your identity online. If not addressed, attackers can keep using your identity as a cover for other illegal schemes.
Merchants
Merchants who’ve been a victim of BIN attacks can experience a loss of trust from their customers, banks, and other payment portals. Because BIN attacks can involve merchants and sellers even without them knowing, their simply being involved in a BIN attack — even an unsuccessful one — can result in a drastic loss of confidence in their security.
Payment portals
Payment gateways can also suffer reputational damage in the case of a successful BIN attack because merchants and customers trust these payment channels to be secure in validating card purchases. If the attack is coordinated enough, the multiple purchases used in card testing may potentially overwhelm the payment portal’s capability to process payments, leading to service interruptions.
Banks and financial institutions
When it comes to a bank’s credit card system, clients expect robust security measures to be in place. And BIN attacks are the fastest way to destroy this trust. Not only will the bank experience a loss of consumer confidence, but it may also be blocklisted by other banks, online merchants, and payment portals as a precaution.
Ways of detecting BIN attacks
While BIN attacks are relatively easy for attackers to execute, how they work also makes them prone to detection. Since they’re not as sophisticated compared to other forms of card fraud, you can look out for certain signs that can reliably indicate the occurrence of one.
Increased authorization requests
Many banks make it mandatory for credit card holders to authorize their purchases in another way, especially if it’s in significant amounts. A sudden increase in authorization requests can indicate that attackers are trying to validate the cards or conducting card testing.
Rate of attempted/approved transactions
Because of the automated nature of card generation/testing, it’s not uncommon for a “cracked” card to make hundreds of small transactions within a short period. These can be detected by either the issuing bank or the merchant being used to “test” these cards.
Validation errors
Most purchases require the input of other information normally found on the card, like the CVV or expiration date. A card that’s reporting multiple validation errors is possibly in the middle of being cracked in a BIN attack.
Unusual purchase behavior
Credit cards often have a traceable pattern of purchases depending on how they’re used by legitimate cardholders. Any deviation from this pattern — like increased spending or spending at unusual hours — can be detected by the bank or the merchant, which can also indicate a BIN attack.
How to prevent a BIN attack
Unfortunately, customers get the short end of the stick if they want to prevent BIN attacks, especially if they’ve been the victim of a more sophisticated approach. However, this doesn’t mean that they can’t take steps to protect themselves in cooperation with the security measures banks and merchants have in place to prevent this type of attack.
Regular transaction monitoring
Monitoring your transaction histories is crucial for BIN attack prevention. Most banks will have same- or next-day verification or posting of credit card purchases, which you can check by going online or calling the bank.
If you’ve been using your card frequently for online transactions, always check your transaction history as soon as possible to verify that there aren’t any unauthorized purchases.
2FA/MFA
Two-factor authentication (2FA) and multi-factor authentication (MFA) are security measures that let you approve credit card purchases from another device like your computer or phone. Sometimes you’ll also need to input separate details like authentication codes or personal information.
2FA and MFA are usually enabled for credit cards by default. However, if you’ve switched banks, have an older bank provider, or made changes in your account, make sure to enable the feature and other card verification methods.
Transaction Alerts
Clients who link their credit cards to their online banking will usually receive notifications if they’ve made a purchase. While not necessarily a security feature, these can be extremely helpful and can indicate unauthorized activity, like credit card testing.
If you’ve received a notification about a credit card activity that you didn’t authorize or any attempted purchases, call your bank immediately to lock your card to prevent further fraudulent transactions.
Secure networks
Payment portals, merchants, and banking institutions leverage secure networks to prevent attackers from gaining access to credit card transaction details. Many of these networks are either operated internally or outsourced to security companies and solutions.
Making sure that your network connection is secure (like using a VPN) can enhance your overall security on the internet whenever you’re using your credit card. Aside from that, you can also make sure that your transactions take place on a secure platform and connection.
Strong passwords
Some methods of attack involve getting access to the actual online account connected to the credit card. Easy targets of this method are people who don’t bother strengthening their passwords.
A simple way to keep your passwords secure is to check if the associated email addresses have been involved in data breaches. If they have — or even if you suspect you’ve been involved in a breach — change your password immediately.
Regular credit checks
A credit check shows patterns in credit card usage that can be lost in transaction histories, especially if the holder doesn’t check them too often. Credit checks can reveal plenty of data about spending habits or card usage that customers and banks may miss.
Conducting a regular credit check can give you a better overall picture of your financial transactions and can help you uncover potential BIN attacks. You can also conduct a further investigation if the credit checks come up with suspicious activity.
Watch out for phishing attacks
Phishing is a method of attack where a customer inputs their credit card information, personal data, and other credentials into a website or form that looks like it’s been issued by an official entity but is generated by an attacker. These attacks can be devastating because they often get all the details of a customer needed to validate a cracked card.
If you’re a consumer, always check that any form or website asking for your credit card information is legitimate. This includes checking the actual URL, webpage, or other elements in the form/site.
Avoid social engineering attacks
Social engineering relies on using human interaction and relationships to build trust and acquire crucial information. With enough details, attackers can then attempt BIN attacks tailored to you.
Educating yourself is a good way to prevent yourself from falling victim to social engineering attacks. But a good rule of thumb to follow is to verify whoever you’re talking to, no matter how legitimate they seem.
BIN attacks are scary — but preventable
Even the simplest precautions can often be enough of a deterrent to a casual BIN attacker. However, customers, merchants, and everyone involved in the financial process should implement security measures to lower the risk of BIN attacks.
Recognizing that BIN attacks are possible is the first step toward preventing them from happening. Awareness can help mitigate many of the risks associated with BIN attacks, and you can complement this awareness with conscious security habits concerning credit card usage. These two practices combined create a good line of defense against BIN attacks.
