Can BIN Attacks be Consigned to the Trash?

Can BIN Attacks be Consigned to the Trash?

by November 13, 2020

Recently, Mastercard noted a “sharp increase” in Bank Identification Number (BIN) attacks and they’re not alone. Previously published data indicates that as many as 300 card issuers around the globe are impacted by automated fraud attacks every month and with the advent of Covid-19, there has been a significant resurgence in activity, specifically targeting issuers in Asia Pacific.

Last year KB Card, one of the largest credit card companies in South Korea, was targeted with a BIN attack that saw more than 2,000 fraudulent online transactions. These attacks will continue until action is taken, but are we doing enough to mitigate the threat, or have we consigned BIN attacks to the trash?

Can BIN Attacks Be Consigned to the Trash? | Featurespace | Insight Center

What are BIN Attacks?

BIN attacks are a type of automated card fraud attack that can adversely affect card holders, card issuers, merchants and acquirers. Using the first six numbers of a valid debit or credit card (the BIN), fraudsters can then generate multiple card numbers and automate scripted, low value purchases at online merchants.

BIN attacks

Further, these attacks can be launched simultaneously and include hundreds or even thousands of generated card numbers from the same BIN range (card numbers with the same first 6 numbers and different combinations of the subsequent numbers).

Card issuers are the primary target, however merchants and/or card acquirers should also be on high alert, as any fraud losses can potentially be ‘charged-back’ by the card issuer, depending on the transaction type and circumstances. Finally, BIN attacks are automated and require low effort and overhead from the fraudster, with even a single success providing a worthwhile payoff.

What are the Signs and What’s at Stake?

Usually, an attack consists of fraudsters testing and probing the defences of card issuers to find gaps in their authorisation response strategies. Well-prepared card issuers will recognise irregular authorisation requests with partial or missing data – often with unusual combinations of transaction types and merchant terminal settings – and decline these.

The growth in BIN attacks in certain regions is in tandem with the rapid growth and adoption of card-based e-commerce. Fast growing issuers are prime targets, as are Payment Service Providers (PSPs) who are flocking to the booming market. As they grow, they become more intertwined with merchants, increasingly exposing their business to larger scale fraud attacks. We’re also seeing a BIN attacks coupled with other cybercrime activity, whereby denial of service or other assault overwhelms a system, deflecting attention from the fraud. These attacks have long-lasting effects on card issuers, including:

  • Financial: Quickly scaled attacks lead to mounting fraud losses. Sometimes the immediate loss is overlooked or not considered a priority, as in many cases the transactions are charged-back to the merchant or acquirer, redirecting the impact.
  • Operational: Thousands of customers can be impacted by unauthorised or blocked transactions, resulting in many resources dedicated to contacting the customer to resolve the issue. This can overwhelm operations teams and lead to long wait times and confusion.
  • Regulatory Censure: In the UK, Tesco Bank fell victim to a high profile attack, where the bank lost £2.3 million to fraud, however it was also fined £16 million by the UK financial regulator as it “failed to exercise due skill, care and diligence” in protecting its customers from financial crime. Punitive fines add insult to injury and can serve as a critical strike following an attack.
  • Reputational: Panic, confusion and the major customer impact can generate a flurry of social media activity, which can be quickly picked up by the media compounded by regulatory censure. In their Q2 2020 Fraud and Abuse report, Arkose Labs reported a 20% spike in cyberattacks. Confidence in security is more important than ever.

The digital economy is accelerating. In the Covid-19 era card-present transactions have fallen drastically, and card-not-present transaction volumes keep rising. Among the Asian markets, India is already forecasting a 57% year-over-year growth in e-commerce and that growth, paired with the increasing number of sophisticated criminals, means it is more important than ever to secure against BIN Attacks.

Can BIN Attacks Be Consigned to the Trash? | Featurespace | Insight Center


Featured image credit: Freepik