What is a BIN Attack in Cybersecurity?

BIN Attacks Definition and how to Protect Payment Gateways from BIN Attacks and BIN Scamming

What is a BIN Attack or Bin Scamming?

BIN attacks or BIN Scams are the fraudulent manipulation of Bank Identification Numbers (hence the BIN) which are the first four to eight numbers on your credit or debit card, which follow a standard banking format that identifies the issuing bank, allowing hackers to more easily generate new card numbers based on the known BIN sequence. 

Many people believe that card numbers are totally random, like a GUID. In fact working out the BIN using the standard banking number format can make it substantially easier to guess the remaining digits of the card number, particularly with eight digit BINS. BIN attacks are also known as BIN scamming.

Credit or Debit Card Number BIN Breakdown

BIN Attack Basics

BIN attacks or BIN scamming poses a significant threat to e-commerce payment gateways. The fraudsters use the payment gateways to guess the rest of the card details, such as the final numbers, expiration and CVV over and over again, until they hit on the right combination and receive an authentication response from the payment gateway. The BIN attack is actually a specific form of CARDING attack that takes advantage of the standard banking format BINs.

Bots are used to keep generating card numbers until they find one that works, and receive the authentication code. Once the full card number is established, the fraudsters typically make a micro-purchase to test the card. If this is successful, they can then attempt a larger purchase, or resell the card details onto another party. The credit card details can then be matched to the owner of the card, to get a full set of ID details, known as a fullz. 

TellTales Signs of a Bin Attack

  • Soaring cart abandonment rates
  • Massive increase in authorisation errors
  • Repeated CVV and Expiry data errors
  • Increase in card number errors
  • Suspicious new account registrations
  • Spikes in payment traffic
  • Users going straight to the payment gateway without any browsing for products
  • Micro-purchases

Safeguarding Against BIN Attacks

Bots are used heavily for these carding attacks as they do require significant brute force attempts and are simply impossible to achieve manually at the scale required to crack the final card number sequence Protecting your payment gateways from bot traffic is thus absolutely essential. 

Consumer Protection From BIN Attacks

For consumers, be very suspicious of micro-transactions. Often people can’t be bothered to look at a transaction for just a few cents, but this is a fatal mistake. It’s hard as these micro-transactions often look like currency adjustments, or are just too small to worry about. However, once the smaller one has verified the card, the fraud inevitably proceeds apace. One good housekeeping way of dealing with this is just to change your credit card on a regular basis. Even if the card is still valid and hasn’t expired, you can simply cancel it and have your bank issue a new one. Although this is really good housekeeping and can’t prevent a BIN attack, the longer the card is in the ‘wild’ the more chance it has of being subject to a BIN attack. 

Robust Authentication Protocols

Implementing Multi-Factor Authentication is a cornerstone in fortifying systems against BIN attacks. Most banks allow you to check transactions online and will send an alert for each transaction. 

Frequently Asked Questions

How does a BIN Attack Occur?

In a BIN attack, hackers exploit vulnerabilities in the Bank Identification Number (BIN), to make it easier to crack the credit or debit card.

What Makes E-commerce Platforms Vulnerable?

E-commerce platforms use payment gateways which are subject to BIN attacks from bot traffic.

What Steps Should Be Taken After a BIN Attack?

In the unfortunate event of a BIN attack, swift action is crucial. Isolating affected systems, conducting a thorough security audit, and enhancing preventive measures to block all bots. ‍