The Quickstart Guide to BIN Attacks
No one could have anticipated the widespread impact of COVID-19 around the world—from the ways we work, learn, socialize, shop, and more. Moving to the front of retail, e-commerce is one of several areas that have significantly changed since the pandemic. Digital Commerce 360 found that consumers spent $861.12 billion online with U.S. retailers in 2020, up 44.0% from $598.02 billion in 2019. Online spending represented 21.3% of total retail sales last year, compared with 15.8% the year prior.
However, with the explosive growth of e-commerce, successful e-commerce fraud attacks are on the rise as well. Digital Commerce 360 reported that e-commerce retailers across business sizes experienced more successful fraud attacks in 2020 than in 2019: small businesses experienced an average of 7 more successful fraud attacks per month; mid/large businesses with digital goods experienced an average of 76 more per month; and mid/large businesses with physical goods experienced an average of 51 more per month. Digital Commerce 360 also reported an overall 3% increase in sophisticated attacks versus basic attacks on ecommerce retailers in 2020 than in 2019.
What are BIN attacks?
A BIN attack is when a fraudster takes the first six numbers of a card, which is the Bank Identification Number or BIN, and then uses software to systematically generate and test the remaining numbers. The fraudster then tests these combinations to see which card numbers they have are correct and active. Fraudsters can even write programs to test multiple cards a second by making small transactions of less than $1 through an online store—making it difficult for both fraud detection systems and consumers to detect. Once fraudsters determine which card numbers are correct and active, they can then make much larger transactions, hurting both merchants and issuers.
Previous industry data estimates that globally 300 banks are targeted every month and with Covid-19, this will only accelerate. “It’s an industry-wide problem,” says one payment processor executive.
Who pays for BIN attacks?
Although consumers and retailers are impacted by BIN attacks, they’re not the ones who are typically left footing the bill. Credit card networks, such as Mastercard and Discover, are clearinghouses for transactions and usually aren’t responsible for unauthorized charges. Most credit card networks have zero-liability policies that guarantee consumers won’t be liable for unauthorized charges. According to the federal Fair Credit Billing Act, if a consumer’s card number is stolen—such as in a BIN attack—the consumer is not responsible for any fraudulent charges.
Credit card networks don’t actually issue credit cards to consumers, instead working with financial institutions like banks or credit unions in order to do so. These are the companies that end up shouldering the majority of the financial burden when it comes to fraudulent charges. All major credit card issuers offer consumers zero liability policies if they dispute the charges within 30 days, with many small credit card issuers beginning to offer zero liability policies as well in order to stay competitive. The issuer then has 30 days to respond to the dispute and 90 days to investigate the complaint, during which they are not allowed to collect payment, charge interest, or report it to the credit bureaus as late.
Although financial institutions typically absorb the cost of fraudulent charges by reimbursing the merchant, the cost to financial institutions doesn’t stop there. Banks have to spend internal resources and time in order to substantiate that fraud has truly occurred. This involves combing through electronic transaction trails for crucial details such as timestamps, geolocation, IP addresses, and more.
How can financial institutions protect themselves against BIN attacks?
There are a few steps that financial institutions can take to protect themselves from BIN attacks:
- Consider putting transaction limits on foreign countries. Many BIN attacks come from transactions testing outside of the U.S. FinCEN publishes advisories on this issue for a list of countries to consider blocking.
- Consider setting up an automated transaction monitoring system to alert the bank quickly that it is under attack. Tell tale signs include repeated low-value transactions of similar value, surge in velocity of those transactions, frequency of those transactions across multiple merchants, high decline rates, and multiple CVV errors.
- Ask your vendor what tools and strategies they have to detect and prevent BIN attacks at the switch. Vendors can include a vast array of variables to address this problem including fraud score, compromise card detection, merchant type, Merchant Category Code (MCC), geography, zip codes, device ID, and many others.
- Update your risk controls and configurations by adjusting transactions limits and when they are triggered, reviewing fraud tools that you have implemented that could mitigate BIN attacks or ones that can be purchased, adding alerts that can indicate that an attack is in process, and adding processes to mitigate the aftermath of an attack.
As the number of fraudulent attacks and their level of sophistication continue to rise, it’s crucial for financial institutions to get ahead of them. Rippleshot uses machine learning and automation to detect high risk merchants and fraudulent transactions to help financial institutions protect themselves and proactively stop card fraud.
Contact us today to learn more and schedule a product tour.