What is a BIN Attack or Bin Scamming?
BIN attacks or BIN Scams are the fraudulent manipulation of Bank Identification Numbers (hence the BIN) which are the first four to eight numbers on your credit or debit card, which follow a standard banking format that identifies the issuing bank, allowing hackers to more easily generate new card numbers based on the known BIN sequence.
Many people believe that card numbers are totally random, like a GUID. In fact working out the BIN using the standard banking number format can make it substantially easier to guess the remaining digits of the card number, particularly with eight digit BINS. BIN attacks are also known as BIN scamming.
BIN Attack Basics
BIN attacks or BIN scamming poses a significant threat to e-commerce payment gateways. The fraudsters use the payment gateways to guess the rest of the card details, such as the final numbers, expiration and CVV over and over again, until they hit on the right combination and receive an authentication response from the payment gateway. The BIN attack is actually a specific form of CARDING attack that takes advantage of the standard banking format BINs.
Bots are used to keep generating card numbers until they find one that works, and receive the authentication code. Once the full card number is established, the fraudsters typically make a micro-purchase to test the card. If this is successful, they can then attempt a larger purchase, or resell the card details onto another party. The credit card details can then be matched to the owner of the card, to get a full set of ID details, known as a fullz.
TellTales Signs of a Bin Attack
- Soaring cart abandonment rates
- Massive increase in authorisation errors
- Repeated CVV and Expiry data errors
- Increase in card number errors
- Suspicious new account registrations
- Spikes in payment traffic
- Users going straight to the payment gateway without any browsing for products
Safeguarding Against BIN Attacks
Bots are used heavily for these carding attacks as they do require significant brute force attempts and are simply impossible to achieve manually at the scale required to crack the final card number sequence Protecting your payment gateways from bot traffic is thus absolutely essential.
Consumer Protection From BIN Attacks
For consumers, be very suspicious of micro-transactions. Often people can’t be bothered to look at a transaction for just a few cents, but this is a fatal mistake. It’s hard as these micro-transactions often look like currency adjustments, or are just too small to worry about. However, once the smaller one has verified the card, the fraud inevitably proceeds apace. One good housekeeping way of dealing with this is just to change your credit card on a regular basis. Even if the card is still valid and hasn’t expired, you can simply cancel it and have your bank issue a new one. Although this is really good housekeeping and can’t prevent a BIN attack, the longer the card is in the ‘wild’ the more chance it has of being subject to a BIN attack.
Robust Authentication Protocols
Implementing Multi-Factor Authentication is a cornerstone in fortifying systems against BIN attacks. Most banks allow you to check transactions online and will send an alert for each transaction.