Going Deep On BIN Attacks
Bin attacks are a popular buzzword in the card fraud world. However, there is a growing disconnect regarding what this term encompasses and how it can impact financial institutions and their card holders. There are plenty of articles available describing ‘BIN attacks’ and how to defend against them. Unfortunately, those articles tend to be written from the more clinical definition of ‘BIN attack’ which is really an enumeration attack. However, it is apparent that industry professionals will use the term 'BIN attack' to describe a wide variety of attacks.
It’s certainly understandable why ‘BIN attack’ has become this all encompassing term. If you’re seeing a heavy volume of transactions from a single merchant, it’s accurate to say that your BIN is under attack. After the attack has ended, it is important to properly define it to prevent further exposure. On that note, a better way to categorize BIN attacks would be to define them by the goal of the attacker.
In the following sections, we will cover the five most common BIN attacks and provide mitigation strategies for your fraud teams to implement.
Enumeration Attack - The Classic BIN Attack
Fraudsters will begin by attempting a few low dollar transactions per card, typically one or two, but are systematically attempting transactions across a large volume of card numbers. The goal is to find open cards which then can be used for fraud or, more likely, sold to a card dump site. The entire objective here is to use brute force to find open cards. This type of attack will involve a large number of card numbers that do not exist. As a result, the response codes will be heavily populated with ‘invalid card’ responses.
Oftentimes an enumeration attack will use a merchant that has been taken over or breached. This means the fraudsters may not have the ability to complete the transactions and can only send the initial authorizations. The concern isn't fraud loss but rather being able to identify new card numbers to use in later attacks or sell on the black market.
Mitigating this type of attack requires a two pronged approach. You need to identify the fraud pattern faster in order to block the merchant sooner. You should talk to your processor or whoever is in charge of your rules engine to create velocity rules that can identify a high volume of traffic from a single merchant. A follow up approach would be information sharing and gathering merchants that other institutions have seen attacks on. This approach allows you to block a BIN attack before it even starts at your Institution.
CVV/CVV2 Testing - The Other Brute Force Attack
This type of testing looks similar to an enumeration attack. However, rather than executing a few transactions on many cards, this attack involves many transactions on a few cards. In this type of attack the fraudsters suspect they are testing a valid card number but are missing a piece of information necessary to commit card fraud.
In the example of a CVV2 code, there are 1,000 possible CVV2 values and a fraudster would have a 50% chance of finding the correct value in just 278 attempts. There’s no discretion with this kind of brute force attack and the fraudsters assume their attack will be discovered quickly. Therefore, if they get a successful approval, they will attempt to use that card for fraud quickly.
Luckily, mitigation strategies for these attacks have been known for years. The most common method is monitoring CVV2 declines by card and taking action after a set amount. That could be as simple as declining or restricting after ten CVV2 denials in an hour.
Card Dump Testing - Customer Service Sells
Selling card details online is a business and like all businesses, they need to deliver a quality product to survive. However, the sites that sell these cards are just the middleman, buying card info from one group to resell to others. How can they be sure that the cards they purchase are valid and valuable? By testing them!
These tests can differ from site to site, but there are two recurring patterns. One approach involves low dollar authorizations with no completions. A very common example from a decade ago was transactions under $10 from merchant names that resembled hotels with random states and cities. Since the transactions didn’t complete, it was less likely to be scrutinized and fraudsters could get away with a hotel in “Honolulu, WY”. Over the years, these tests have become more sophisticated.
The alternative approach is to execute lower dollar amount transactions and associate them with legitimate site names. Unfortunately, charity sites are big targets as small dollar transactions with no history at that site can be common. During election seasons, political campaign donation sites can be used for the same reasons.
The objective here is to test a sample of the cards the card dump site has without being detected. If their tests are detected and the cards can be shut down before they can be sold, why should the fraudster that bought those cards go back to that site?
Mitigation for this attack should be two pronged. First, analysis of your card transactions can predict which cards are more likely to go fraud in the future. If the card in question visited the same merchant as other cards that had fraud on them, your card is more likely to experience fraudulent activity. Proactively reissuing or adding more restrictive rules around those cards before the cards are sold will prevent fraud. As for the testing itself, transaction analysis can help identify the merchants being used which should then be blocked or monitored more closely.
Pre-testing a Card
We’ve already established that fraudsters purchase lists of compromised cards from a card dump site. However, before they plan and implement their fraud attack, they have to confirm the cards they purchased are legit and will produce valid transactions. In most cases, they will leverage software to automate the entire process. This includes conducting small dollar transactions, verifying they worked, and then moving on to the larger dollar transactions.
With the widespread adoption of EMV, the bulk of pre-testing activities are made up of e-commerce transactions. However, counterfeiting mag stripe cards still occurs and the purpose of pretesting a card is to verify that the physical card was set up correctly. Those typically involve a small dollar transaction at a vending machine or other automated terminal before moving on to larger dollar transactions.
The best way to prevent this attack is to focus on your riskiest cards. Ideally, you would reissue the highest risk cards and use more aggressive rules for other risky cards. A list of high risk merchants would also be useful in identifying both the small dollar tests as well as the larger fraud transactions after the test.
Large Scale Fraud Event
The previous four BIN Attacks have focused on gathering information. At this point, the fraudsters have a list of potentially active cards and all the information they need to use those cards. Now it’s time to cash out. Typically, they’ll focus on what will deliver a speedy return. P2P services and cryptocurrencies offer a way to collect cash (or cash equivalent). Resellers of gift cards and electronic games have become prime targets as well. Ultimately, anything that can be sold through a reseller is a target such as in-demand game consoles, the new hyped sneakers, and trendy purchases such as work from home equipment at the beginning of the pandemic.
The good news is that mitigating the earlier attacks reduces exposure to this one. This is another use case for analyzing merchants on a large scale. These fraudsters might frequent the same merchants multiple times which creates an opportunity to be detected. Finding those high fraud merchants and blocking them can reduce your fraud losses.
Regardless of attack type, the key piece of information to gather is what is happening, why is it happening, and what can be done to mitigate the damage. As outlined above, the motivation behind a certain type of attack can go a long way into preventing future fraud. This allows you to tailor your rules, additional testing activity, or focus on areas where fraud is expected.
While BIN attacks can be concerning and frustrating to financial institutions, gaining a comprehensive understanding is a key first step to successfully combating them. Rippleshot is an AI-based fraud solution focused on helping fraud managers win the fight against card fraudsters. To date, they have helped thousands of financial institutions identify and prevent the latest fraud attacks.
About Rippleshot and Rules Assist
Since 2013, Rippleshot has been leveraging the power of machine learning and automation to protect your customers from card fraud.
Rules Assist is the perfect blend of these tools. Together, they help your institution avoid falling behind the competition by providing the automation, machine learning, and data you need to implement effective rule writing strategies.
To learn more about how we can reduce cost, increase efficiency, and keep your fraud strategies up to date, please click the button below.
Request a Product Tour
You have fraud frustrations? We have the solutions. Let's discuss what you are dealing with and we can learn more and share how we can help.