Is Your Financial Institution Protected from a BIN Attack?

Written By: Gregory Lenihan, Fraud and Product Specialist at Rippleshot

BIN attacks are one of the most common credit card fraud threats negatively impacting financial institutions today. This is a type of fraud most commonly associated with Card-Not-Present (CNP) transactions.

In 2023, the Federal Trade Commission received 114,348 reports of credit card fraud. Among those reports includes a rising number of BIN attacks. There’s also a significant rise in card-not-present (CNP) fraud which currently comprises an estimated 80% of incidents across debit and credit cards. One of the main culprits of these fraud events is a BIN attack.

Total Cost of BIN Attacks

BIN stands for Bank Identification Number and it is a set of numbers, usually six, that identifies the institution that issued the card. When a card is swiped, the card machine scans the BIN, identifies the associated account, and then puts in a request to withdraw funds from the account in order to complete the transaction.

Financial institutions absorb the cost of fraudulent charges stemming from BIN attacks which include both financial and operational expenses:   

• Fraud losses from compromised cards
• Chargeback refunds
• Call center costs
• Card re-issuance events
• FI reputational damage
• Cardholder disruption
• Interchange revenue losses 

BIN attacks can also place a serious strain on a financial institution's resources. The fraud team is responsible for the aftermath, which includes searching through electronic transaction trails for crucial details such as timestamps, geolocation and IP addresses. This painstaking process is necessary and expensive.

There are Various Types of BIN Attacks

Card-Not-Present Fraud

There’s a significant rise in card-not-present (CNP) fraud which currently comprises over 80% of incidents across debit and credit cards. One of the main culprits of these fraud events is a BIN attack. The term ‘BIN attack' has become an umbrella term for various types of CNP fraud. If you’re seeing a heavy transaction volume from one client, it’s safe to say your BIN is under attack. 

Now What?   

• Uncover the fraudster’s goals 
• Define the attack
• Prevent further exposure

Enumeration Attack

Fraudsters test merchants by attempting a few low-dollar transactions per card. If approved they attempt additional transactions across many cards. The goal is to find open cards that can be sold to a card dump site using brute force. This type of attack will involve many card numbers that don't exist. As a result, the response codes will be heavily populated with 'invalid card' responses. 

Frequently an enumeration attack uses a merchant that’s been taken over (or breached). This means the fraudsters may not be able to complete the transactions and can only send the initial authorizations. The concern isn't fraud loss, but instead, the ability to identify new card numbers to use in later attacks or sell on the black market.

How to Protect Your Financial Institution

When a financial institution sees a spike in transactions, that’s a strong indicator that they are under attack. Since the attack has already commenced, they can best react by declining the appropriate transactions. However, this reactionary stance still leaves the financial institution  open to fraud losses and member disruption.

“The advantage of working with a fraud detection partner like Rippleshot is that we have the insights and data to proactively avoid fraud attacks.” said CEO Canh Tran. “By leveraging the fraud intelligence gathered from our data consortium from more than 5,000 banks and credit unions, we provide a summary of high risk merchants to our customers. Internal fraud teams leverage this information to write new rules that block fraudulent merchants before the first transaction hits.”

The following steps are designed to help you enhance your BIN attack protection strategy:

1. Processing vendors are limited in the protection they can provide. Once you understand what tools they are using, you can explore partnering with a fraud detection platform like Rippleshot to complete your protection.
2. Consider transaction limits on foreign countries. Many BIN attacks come from tested transactions outside of the United States. (FinCEN regularly published advisories regarding what countries to consider blocking to avoid financial crimes.)
3. Some BIN attacks focus on finding active cards that are most likely to have funds that can be withdrawn from. Fraudsters will try to validate this by testing the cards with low amount transactions. To prevent these approvals, you should implement a rule that blocks transactions at fraudulent merchants that are involved in BIN attacks.
4. Identify fraudulent merchants by analyzing patterns in their transactional data similar to our High Risk Merchant list. You can claim your free copy by filling out this form.
5. For legitimate merchants, set up a rule to monitor transaction velocity per hour and block transactions when the threshold is reached. This will allow time for your team to investigate the situation.

Although these preventative measures aren’t real-time, they can stop automated BIN attacks in their tracks, forcing fraudsters to move onto easier targets. Fraud from BIN attacks and compromised cards can take a week or longer to monetize, giving the financial institution time to act and stop the damage.

How to Handle

• Identify fraud pattern for immediate merchant blocking
• Contact your processor to create velocity rules
• Review data from other financial institution fraud attacks

CVV/CVV2 Testing 

This type of fraud testing appears similar to an enumeration attack, except it’s the opposite approach. Instead of executing a “few transactions on many cards,” this attack involves “many transactions on a few cards.” With this approach, the fraudsters suspect they are testing a valid card number but then realize they are missing information necessary to complete the fraudulent transaction.

For example, a CVV2 code has more than 1,000 possible values. A fraudster would have a 50% chance of finding the correct value with 278 attempts. There’s zero discretion with this type of brute force attack and the fraudster assumes they will be quickly exposed. Therefore, if they receive successful approval, they will use the card immediately. 

What Should You Do?

• Monitor CVV2 declines by card
• Take action after pre-set amount
• Decline or restrict transactions on a high-volume card 

Card Dump Testing 

There’s an entire industry that fraudsters have built to steal, test, and sell credit card information. Card dump testing is the only way to ensure that fraudsters are purchasing valid cards.

These tests can differ from site to site, but there are two types we see most often. The first type involves low-dollar authorizations with zero completions.The second type is to attempt lower dollar transactions and associate them with legitimate site names. Unfortunately, charity and political campaign sites often fall victim to this type of attack. They are ideal targets since these organizations have a high volume of small dollar transactions and no history.

How to Mitigate

• Analyze past transactions to predict cards future fraud likelihood
• Proactively reissue cards 
• Create more restrictive rules around the cards
• Monitor transactions for suspicious testing behavior

Fraudster Testing 

While “Card Dump Testing” ensures the card is valid, “Fraudster Testing” is done in real-time by the individual or end user. This testing is done in the form of e-commerce transactions and the purpose is to confirm the card is both valid and still active. The fraudster will focus on small dollar transactions to avoid detection. If those transactions go through, they will move onto higher dollar transactions.

Steps to Prevent  

• Identify attack
• Reissue your riskiest cards
• Apply more aggressive rules for remaining cards
• Access our list of high-risk merchants to identify where the fraud is coming from

Large Scale Attack

Time to cash out. Once fraudsters have a list of potentially active cards and all the necessary information, they'll focus on the fastest return. P2P services and cryptocurrencies offer a quick way to collect cash (or cash equivalent). Resellers of gift cards and electronic games have become prime targets, as well. Ultimately, anything that can be sold through a reseller is a target. 

Learn More About BIN Attacks

To learn more about the various types of BIN attacks and how to mitigate the damage for each one, click here.

How Rippleshot Can Help

BIN attacks are a serious threat to your financial institution and its members. Dealing with them internally is costly, time consuming and still lacks the coverage you require to effectively fight off these fraud events.

Rippleshot’s solution identifies the high-risk merchants that cause BIN attacks and stops them before they strike. Our product is powered by fraud prevention experts whose sole job is to provide financial institutions like yours the card fraud protection you deserve.

To download a free sample of this list, please fill out the form at this link. If you are ready to speak to our fraud prevention team and learn about our solutions in-depth, please click this link.

About Rippleshot and Rules Assist

Since 2013, Rippleshot has been leveraging the power of AI, machine learning, and automation to protect your customers from card fraud. 

Rules Assist is the perfect blend of these tools. Together, they help your institution avoid falling behind the competition by providing the automation, machine learning, and data you need to implement effective rule writing strategies.

To learn more about how we can reduce cost, increase efficiency, and keep your fraud strategies up to date, please click the button below.