BIN Attack: What Is It and How to Protect Your Business?

February 9, 2023

Introduction

To protect their customers, merchants need to implement robust fraud prevention policies, invest in fraud detection tools, and learn about different types of payment fraud.

A particularly dangerous type of fraud is the BIN attack. It involves the use of bank identification numbers (BIN) and computer-generated number sequences to discover valid payment card numbers.

Find out how BIN attacks work and take the necessary steps to secure your business.

BIN attack attempt where attackers try to guess the customer's credit card number.

What Is a BIN Attack?

A Bank Identification Number (BIN) is the first 4-8 digits of a payment card number. It identifies the card issuer (i.e., financial institution, bank), card network, and the type of card being used - a credit or debit card.

BINs are publicly available and are easily obtained. During a BIN attack, an attacker takes the BIN of an issuer and uses computer software to generate the remaining digits of the cardholder’s card number.

BIN location on a credit card example.

Once the attacker generates thousands of card numbers, they test them on actual online stores to determine which card numbers correspond to existing, valid cards.

How Does a BIN Attack Work?

A BIN attack does not target a specific cardholder but tries to identify as many valid card numbers issued by the same issuer as possible.

A BIN attack typically follows these steps:

  1. The fraudster targets a specific card issuer and obtains their 4 to 8-digit BIN.
  2. They utilize special software to generate a vast array of potentially valid card numbers.
  3. Fraudsters then test the generated numbers by attempting small transactions at legitimate businesses to determine if a credit card number is valid. Sometimes attackers use merchant accounts they create specifically for this purpose.
  4. They use the card numbers identified as genuine to make high-value unauthorized purchases.
An attacker using a software program to initiate a BIN attack and steal card information.


Note: It is not uncommon for card numbers attained from BIN attacks to be sold on the dark web and used in other types of payment fraud such as phishing, identity theft, and account takeover.



Who Are the Targets of BIN Attacks?

A BIN attack targets the cardholder’s card number. The attacker makes countless attempts with different card number sequences until they succeed in initiating a transaction.

This type of attack targets participants in the payment process, including:

  • Card Issuers - The attacker identifies a specific BIN and tries to discover as many card numbers issued by a particular bank, financial institution, airline, gas company, etc.
  • Merchants - Attackers often target smaller merchants who may not have sophisticated fraud detection systems and procedures in place.
  • Payment Processors - Payment Service Providers (PSPs) have advanced fraud detection systems, but they process a large volume of transactions. Attackers try to mask the origin of the transaction and limit the number of attempts to stay undetected for as long as possible.
  • Customers - Once a valid card number is identified, customers will discover that their card was used for unauthorized transactions.

Note: Learn everything about payment processing in our articles What Is a Payment Processor? and How Does Payment Processing Work?


What Are the Consequences of a BIN Attack for Merchants?

Consumers are not the only ones on the losing end when hit by a BIN attack. Credit card testing can have a significant impact on merchants too, with consequences including:

  • Higher chargeback fees - Any form of payment fraud can lead to chargebacks and hurt the merchant’s bottom end.
  • High-risk classification – The increase in chargebacks, if not put under control, leads to a business being classified as high risk. Not all payment processors want to work with a high-risk merchant, making online payment processing more difficult and costly for the merchant.
  • Higher interchange fees - The surge in transaction attempts due to card testing leads to higher interchange fees.
Rising business costs due to BIN attacks.
  • Transaction restrictions – Due to the influx of transaction attempts, payment processors may limit the merchant’s processing capabilities as a security precaution. While that may mitigate the BIN attack, it will also prevent some legitimate buyers from making a purchase.  

How Can Merchants Detect BIN Attacks?

Indicators that a BIN attack is underway include:

  • Multiple transactions from the same IP address - Attackers often use rudimentary software and attacks originate from a single location. Transactions coming from the same IP address using sequential card numbers should be viewed as highly suspicious.
  • Multiple purchases in quick succession - Once a credit card number has been compromised, attackers try to make as many automated purchases as possible.
Different ways to detect BIN attacks.
  • A sharp increase in declined transactions - Only a handful of card numbers generated during a BIN attack is valid. A sudden increase in declined transactions due to an invalid card number is an indicator that someone might be entering the wrong numbers by design.
  • CVV errors - CVV codes are difficult to obtain as they are specific to each card. An increase in declined transactions due to wrong CVV entries can be an indicator that the merchant is under a BIN attack.

BIN Attack Prevention

Merchants can reduce the risk of BIN attacks by implementing the following measures:

  • Velocity Controls - Restrict the number of transactions a customer can initiate and the total amount they can spend within a given time frame.
  • Address Verification Service (AVS) - AVS systems compare the address a customer enters on the payment form to the data their card issuer has on file. This means that attackers need to know the customer’s correct address before attempting a transaction. AVS is an inexpensive and proven method for preventing unsophisticated payment fraud attacks.
  • Monitor for suspicious activity - Always investigate unusual payment activity, such as, transactions that originate from the same IP address but use different payment details, declines that use the same card number but different expiration dates, declines with sequential card numbers, or the use of generic email addresses.
  • Clear procedures and regular staff training - Employees need to recognize common threats and understand how their actions facilitate or prevent BIN attacks. They need to know how to recognize a BIN attack and what action to take once an attack is underway.
  • Payment Tokens - Check if your payment processor offers features that allow you to tokenize payment information. Substituting personally identifiable payment information with a token significantly increases the security of transactions.
  • Two-Factor Authentication - Adding an additional security layer with two-factor authentication reduces the risks of payment fraud. Attackers looking to test card number variations avoid websites that require cardholders to authenticate themselves with their bank before a transaction can be completed.
Customer confirming their identity during a payment.
  • Advanced fraud detection systems - Fraud detection methods that incorporate machine learning, AI, and predictive models are expensive for merchants to implement on their own. Using a payment processor with sophisticated detection systems enables you to better protect your business at a fraction of the cost. When choosing a payment processor, find out more about the systems, tools, and procedures they use to manage risk.

What to Do in Case of a BIN Attack?

To minimize the damage caused by a BIN attack and prevent future attacks:

  • Contact your bank or merchant services provider immediately to report the attack and close any fraudulent accounts.
  • Review your transaction records to identify any unauthorized transactions or suspicious activity.
  • Notify customers who may have been affected and provide them with information on how to protect themselves from fraud.
  • Review and update your security protocols, including your BIN validation procedures, to ensure that they are as secure as possible.
  • BIN attacks are a crime - report the incident to the authorities.
  • Take steps to protect your business from future attacks, such as implementing advanced fraud detection and prevention tools, and educating your employees about how to spot and prevent BIN attacks.

It is important to note that preventing and detecting BIN attacks is a continuous process. Remain proactive, take the necessary precautions, and continuously monitor for any suspicious activities.

Conclusion

You now know how BIN attacks work, the best ways to prevent them, and what to do if your business is targeted.

As a merchant, you need to collaborate closely with other participants in the payment process. Finding a reliable payment processor with an impeccable safety record will help you protect your business and customers from BIN attacks.

About the author
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at CCBill. He has more than 8 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His engaging writing style provides practical advice and aims to spark curiosity for innovative technologies.
Talk to a Merchant Support Specialist