BIN attacks are one of the most common card attacks hurting financial institutions today—and are expected to only continue to get worse. The FTC recently reported that credit card fraud shot up by 107% from Q1 20219 to Q4 2020. In contrast, the number of card fraud reports between Q1 2017 and Q1 2019 grew only by 27%. 

But what exactly is a BIN? BIN stands for Bank Identification Number, which is a set of numbers, usually six, that identifies the institution that issued the card. When a  card is swiped, the card machine scans the BIN, identifies the associated account, and then puts in a request to withdraw funds from the account in order to complete the transaction. 

Now, a BIN attack is when a fraudster takes the first six numbers of a card, the Bank Identification Number or BIN, and uses software to systematically generate and test the remaining numbers. By testing different combinations, oftentimes even writing programs to test multiple cards a second by making small transactions of less than $1 through an online store, attackers are able to determine which card numbers are correct and active. At this point, these fraudsters are able to make much larger transactions with the verified card numbers, hurting financial institutions, merchants, and issuers. 

So with this ever-increasing sophistication of fraudsters, how can financial institutions truly protect themselves against BIN attacks? In this blog post, we’ll share exactly how financial institutions can accomplish this. 

How do BIN attacks harm financial institutions?

Financial institutions must absorb the cost of fraudulent charges from BIN attacks —both financially and in terms of operating and business costs. Financial institutions suffer fraud losses from compromised cards harvested during BIN attacks as well as the costs of chargebacks, call centers, and re-issuance. Furthermore, fraud damages a financial institution’s reputation, causes cardholder disruption and inconvenience, and losses in interchange revenues.  

The additional cost and resources needed to track and deal with BIN attacks and their aftermath including searching through electronic transaction trails for crucial details such as timestamps, geolocation, IP addresses, in order to take preventative and corrective measures are more than what most financial institutions can afford.  . 

How can financial institutions protect themselves against BIN attacks?

Oftentimes, financial institutions know that they are under attack from fraudsters but don’t actually know how to stop it. And even after facing an attack, these companies don’t know how many of their cards are compromised. Although some financial institutions try and turn to outside solutions to protect themselves, many of these solutions are manual or purely consultative—leaving few options for banks and credit unions. 

So what are the efficient ways to put an end to BIN attacks? First comes prevention:

• Ask your vendor what tools and strategies do they have to detect and prevent BIN attacks at the switch.  Vendors can include a vast array of variables to address this problem including fraud score, compromise card detection, merchant type, MCC code, geography, zip codes, device id, and many others.
• Consider putting transaction limits on foreign countries. Many BIN attacks come from tested transactions outside of the United States. FinCEN publishes advisories on this issue for a list of countries to consider blocking.
• Consider implementing a rule to block transactions  at fraudulent merchants involved in BIN attacks to prevent card testing.  You can identify fraudulent merchants by analyzing and seeing patterns in your transaction data or get a list from vendors like Rippleshot.
• For legitimate merchants, set up a rule to monitor transaction velocity per hour and block transactions if the threshold is reached so that the situation can be investigated and addressed.   

Although these preventative measures aren’t real-time, they can stop automated BIN attacks in their tracks, letting fraudsters move onto easier targets. Fraud from BIN attacks and compromised cards can take a week or longer to monetize, giving the financial institution time to act and stop the damage. The next step to ending BIN attacks is automated monitoring and surveillance:

• Consider setting up an automated transaction monitoring system of BINs and transactions. Warning signs include repeated low-value transactions of similar value, surge in velocity of those transactions, frequency of those transactions across multiple merchants, high decline rates, and multiple CVV errors. By staying on top of any red flags, financial institutions can identify which of their cards have been compromised. 
• Consider setting up an automated network surveillance to identify which merchants, both legitimate and fraudulent, are used for BIN attacks. If you discover any more fraudulent merchants during this process, you should block them to prevent any further BIN attacks from them. 

Although mitigation doesn’t protect financial institutions from preventing BIN attacks from occurring, it is a crucial component of protection from all of the operating costs associated with a BIN attack. By having an automated system to quickly identify which cards have been compromised, financial institutions can react quickly and minimize as much disruption and loss as possible. 

About Rippleshot

Rippleshot uses machine learning and automation to detect high risk merchants and fraudulent transactions to help financial institutions protect themselves and proactively stop card fraud. Contact us today to learn more and schedule a product tour.