BIN Attacks And What You Need To Know

Written By: Greg Lenihan, Product Specialist

Did you know there are various types of BIN Attacks?

Recently our Product Specialist, Greg Lenihan, shared his thoughts in an article titled, “Is Your Financial Institution Protected from a BIN Attack?” As a follow-up to our original post, Greg takes a deeper look into two key areas: the various types and best practices for protecting your financial institution.

Card-Not-Present Fraud

There’s a significant rise in card-not-present (CNP) fraud which currently comprises over 80% of incidents across debit and credit cards. One of the main culprits of these fraud events is a BIN attack. The term ‘BIN attack' has become an umbrella term for various types of CNP fraud. If you’re seeing a heavy transaction volume from one client, it’s safe to say your BIN is under attack. 

Now What?   

  • Uncover the fraudster’s goals 
  • Define the attack
  • Prevent further exposure

Enumeration Attack

Fraudsters test merchants by attempting a few low-dollar transactions per card. If approved they attempt additional transactions across many cards. The goal is to find open cards that can be sold to a card dump site using brute force. This type of attack will involve many card numbers that don't exist. As a result, the response codes will be heavily populated with 'invalid card' responses. 

Frequently an enumeration attack uses a merchant that’s been taken over (or breached). This means the fraudsters may not be able to complete the transactions and can only send the initial authorizations. The concern isn't fraud loss, but instead, the ability to identify new card numbers to use in later attacks or sell on the black market.

How to Handle

  • Identify fraud pattern for immediate merchant blocking
  • Contact your processor to create velocity rules
  • Review data from other financial institution fraud attacks

CVV/CVV2 Testing 

This type of fraud testing appears similar to an enumeration attack, except it’s the opposite approach. Instead of executing a “few transactions on many cards,” this attack involves “many transactions on a few cards.” With this approach, the fraudsters suspect they are testing a valid card number but then realize they are missing information necessary to complete the fraudulent transaction.

For example, a CVV2 code has more than 1,000 possible values. A fraudster would have a 50% chance of finding the correct value with 278 attempts. There’s zero discretion with this type of brute force attack and the fraudster assumes they will be quickly exposed. Therefore, if they receive successful approval, they will use the card immediately. 

What Should You Do?

  • Monitor CVV2 declines by card
  • Take action after pre-set amount
  • Decline or restrict transactions on a high-volume card 

Card Dump Testing 

There’s an entire industry that fraudsters have built to steal, test, and sell credit card information. Card dump testing is the only way to ensure that fraudsters are purchasing valid cards.

These tests can differ from site to site, but there are two types we see most often. The first type involves low-dollar authorizations with zero completions.The second type is to attempt lower dollar transactions and associate them with legitimate site names. Unfortunately, charity and political campaign sites often fall victim to this type of attack. They are ideal targets since these organizations have a high volume of small dollar transactions and no history.

How to Mitigate

  • Analyze past transactions to predict cards future fraud likelihood
  • Proactively reissue cards 
  • Create more restrictive rules around the cards
  • Monitor transactions for suspicious testing behavior

Fraudster Testing 

While “Card Dump Testing” ensures the card is valid, “Fraudster Testing” is done in real-time by the individual or end user. This testing is done in the form of e-commerce transactions and the purpose is to confirm the card is both valid and still active. The fraudster will focus on small dollar transactions to avoid detection. If those transactions go through, they will move onto higher dollar transactions.

Steps to Prevent  

  • Identify attack
  • Reissue your riskiest cards
  • Apply more aggressive rules for remaining cards
  • Access our list of high-risk merchants to identify where the fraud is coming from

Large Scale Attack

Time to cash out. Once fraudsters have a list of potentially active cards and all the necessary information, they'll focus on the fastest return. P2P services and cryptocurrencies offer a quick way to collect cash (or cash equivalent). Resellers of gift cards and electronic games have become prime targets, as well. Ultimately, anything that can be sold through a reseller is a target. 

How Rippleshot Can Help

The good news is that mitigating the earlier attacks we’ve already reviewed reduces exposure to large scale attacks. Fraudsters might frequent the same merchants multiple times which creates an opportunity to be detected. 

When partnering with Rippleshot, our fraud experts are analyzing 50 million credit card transactions daily from our consortium of more 5,000 financial institutions to create our high-risk merchant report. Click here to receive a complimentary sample at this link, or, let’s connect! Our team would love to learn more about your fraud challenges. To book a discovery call, click this link.

About Rippleshot and Rules Assist

Since 2013, Rippleshot has been leveraging the power of AI, machine learning, and automation to protect your customers from card fraud. 

Rules Assist is the perfect blend of these tools. Together, they help your institution avoid falling behind the competition by providing the automation, machine learning, and data you need to implement effective rule writing strategies.

To learn more about how we can reduce cost, increase efficiency, and keep your fraud strategies up to date, please click the button below.

About The Author

Greg Lenihan is the Product Specialist at Rippleshot. His responsibilities include overseeing the development of our Rules Assist product, meeting with prospective clients, and providing support for existing customers. He routinely analyzes fraud data and provides recommendations for proactive rule-writing strategies. He resides in Oregon, where he lives with his wife and three children. He enjoys volunteering as a scoutmaster and watching baseball.

Schedule Your Demo
No items found.

Request a Product Tour

You have fraud frustrations? We have the solutions. Let's discuss what you are dealing with and we can learn more and share how we can help.

Three blue ellipsis's