What is a BIN attack?

To protect your business and customers, it’s essential to understand how BIN attacks work and how to detect them. By understanding the intricacies of BIN attacks and implementing proactive measures, you can not only fortify your company’s defenses but also safeguard sensitive data and maintain the trust of your customers.

On this page, we’ll explain everything you need to know about BIN attacks, shedding light on their nature, the techniques employed by fraudsters, and, most importantly, how you can protect your business from falling victim.

What does BIN mean?

A Bank Identification Number (BIN) is the initial set of 6/8 digits at the beginning of the lengthy number series displayed on the front side of a payment card. These digits are also known as the issuer identification numbers. The purpose of the BIN is to identify the entity that issued the card and ensure that the payment processing system can accurately direct the payment for verification, reconciliation, and finalization.

BINs facilitate seamless reimbursements and reverse charges, but they also play a crucial role in countering types of online payment fraud by verifying the location of the cardholder and matching it with the individual attempting the payment, all the while maintaining the security of data.

What is a BIN attack?

In a BIN attack, bad actors employ brute-force computing techniques to systematically guess a valid combination of credit card number, expiration date, and card verification value (CVV).

While an individual might attempt to guess these details one at a time, a software program can rapidly test thousands of combinations within seconds. Then, once the software discovers a working combination, it can explore other similar variations and leverage them for online purchases, assuming that other cards share the same initial six digits.

The subsequent phase of a BIN attack is known as card testing or “carding”. During card testing, the attacker initiates small transactions to determine if the card is active and whether it has adequate protection against types of online payment fraud.

Many of these attempted purchases are detected and prevented without the cardholders being aware of any suspicious activity on their accounts. However, some of these minor charges may go through. When the scammer identifies a vulnerable card, they can exploit it for further fraudulent transactions or sell the compromised account numbers on the dark web.

How does a BIN attack work?

There are three phases to a successful BIN attack:

• Collecting - the first thing a fraudster needs to do is generate potential card details. They do this by taking the publicly available BIN of a particular bank, setting it in place, and then using bots to cycle through random numbers in an attempt to guess a valid combination of credit card details. By using automated number generators, this guessing can be conducted quickly and at scale, which significantly improves their chances of success
• Validation - once they’ve obtained these card details, they try to validate them by attempting to make small purchases with merchants. It's crucial that the transactions are small enough to be processed without being identified as fraud
• Testing - they repeat this process with all the potential cards, storing any ‘cracked’ cards in a database to be used for larger purchases or sold on the black market

Different types of BIN attacks

Below, we explain in more detail the key elements of a BIN attack. 

• Targeting a BIN - by targeting the BIN of a specific financial institution, the fraudster knows that they have at least six to eight digits of a valid card number
• Generate random card numbers - however, these numbers represent only a small part of the full 16-digit number, meaning they need to use auto-dialers or automated number generation software to guess literally thousands of potential card detail combinations for the targeted BIN
• Testing - these credentials then need to be verified, which the fraudsters do by using them to make loads of low-value transactions. Again, they can use automated software to attempt these transactions at scale
• Card details storage - if a transaction goes through, the criminals know that those credentials can be used to make larger fraudulent purchases, at least until the card is canceled or has its authentication details changed

Differences between BIN attacks and card testing fraud

Technically, a BIN attack involves an element of card testing, as described above, but there are differences between BIN attacks and card testing fraud. 

While BIN attacks specifically target the BIN of a known financial institution in order to guess valid card details, card testing fraudsters use card details that they’ve already established are active, which they could either have bought or generated as part of a BIN attack. 

Impacts of BIN attacks for merchants

BIN attacks can have several extremely damaging effects for merchants, including: 

• Reputational damage - a BIN attack can damage your reputation with financial institutions and your customers. Your payment partners will see you as a merchant that’s risky to do business with and could even terminate their relationship with you, leaving you unable to process payments. A cardholder could hold you responsible for failing to prevent their card being defrauded, avoid shopping on your site, and even tell others about their poor experience 
• Chargebacks - if a customer spots a fraudulent transaction on their statement, they’ll initiate a chargeback, which can be costly and time-consuming for you to settle 
• Fines - if you fail to prevent a BIN attack, you could be fined by industry regulators and even lose your license to operate

How to detect a BIN attack

There are a number of ways you can detect BIN attacks or carding attacks:

• Unusual patterns in small transactions – Repeated instances of minor transactions originating from the same IP address raise suspicion of fraudulent activity.
• Abnormal authorization errors – These errors often result from persistent attempts by fraudsters to gain unauthorized access to sensitive information.
• Rapid transaction rate – Once a credit card has been compromised, automated software and malicious bots may engage in a flurry of purchases within a brief timeframe.
• Unusual timing of purchases – If you see purchases happening outside of normal business hours, considering the nature of your business and time zone, it could suggest that cybercriminals are using your business to test stolen credit cards.
• CVV validation errors – During card testing, fraudsters may come across errors while testing the Card Verification Value (CVV) associated with the stolen credit card.

How merchants can prevent a BIN attack

To help prevent a BIN attack against your business, these are some of the best measures you can take:

• User identification - conducting proper identification checks on your customer should be your first line of defense against BIN attacks. It’s also a legal obligation - merchants must carry out Know Your Customer (KYC) verification in order to comply with Anti Money Laundering regulations. KYC checks verify that customers are genuine through a combination of documents collection, due diligence, and ongoing monitoring, which helps to prevent fraud
• Transaction Monitoring and alerting - transaction monitoring should be an integral and ongoing part of your BIN attack prevention strategy. Specifically, you should be looking for a high frequency of low value transactions, as well as recurring use of the same expiry dates and CVV numbers, all of which could be signs of card testing
• Use Fraud Detection Software – Employing fraud detection software enables you to easily identify suspicious transactions and patterns, alerting you to potential BIN attacks before significant harm occurs.
• Deploy a Bot-Management Solution – Using a bot-management solution can safeguard your business from cyberattacks while simultaneously boosting conversion rates, and filtering bot visits from your site.
• Implement Multi-Factor Authentication (MFA) and 2FA – This adds an additional layer of authentication, making it more challenging for cybercriminals to execute BIN attacks.
• Limit multiple checkout attempts with the same email address - legitimate customers rarely have to keep reattempting their purchase, so setting a maximum number of checkout attempts can be a simple and effective way to stop fraudsters
• Employ Address Verification – To confirm the authenticity of the cardholder, you can compare the billing address provided with the one on file with the credit card issuer, making it easier to mitigate the risk of fraudulent transactions.
• Educate Employees – Train your employees to recognize and report suspicious activities promptly, providing clear instructions on transaction handling procedures to minimize the risk of fraud.
• Set Business Card Limits – Set out restrictions on card usage, such as transaction amount limits, to reduce the impact of potential fraudulent activities.
• User Blocking – Consider automatically blocking users after a certain number of declined attempts, preventing repeated unauthorized access attempts.
• Implement CAPTCHA for Online Transactions – Integrate a CAPTCHA solution to verify the authenticity of users during online transactions, deterring automated attacks.

How Checkout.com can help you avoid fraud

Checkout.com's Fraud Detection tool is a valuable resource that can significantly help your business in preventing fraud in many ways.

How does it all work? The Fraud Detection Tool uses advanced machine learning algorithms to analyze vast amounts of data and identify patterns indicative of fraudulent activity, allowing it to adapt and improve its detection capabilities over time.

Seamlessly integrating with the Checkout.com payment platform, ensures a streamlined workflow, minimizing the need for manual intervention and saving time and resources. By leveraging Checkout.com's Fraud Detection Tool, your business can enhance its fraud prevention capabilities, mitigate financial losses, protect customer data, and maintain a secure payment ecosystem. Talk to our sales team for more information.