Bin Attack Credit Card Fraud


Credit card fraud represents a range of methods and techniques to illegally retrieve credit card information from unsuspecting individuals . This information is then used to withdraw money from financial institutions to purchase commodities and goods through the Internet or a brick and mortar store if they have the actual credit card with them. Sometimes the thieves will even visit a restaurant and have a nice diner at the expense of the victim (usually the victim turns out to be the financial institution, since most credit cards to not hold the credit card holders responsible if they contact them within a reasonable amount of time).

There are hundreds of thousands of scenarios where the thieves will use stolen credit cards and there appears to be no end in sight. Case in point - an individual visited a furniture store and bought a sofa bed for his new apartment. Once the purchase was complete, he left the store unknowingly that he left his Visa card with the salesman. To his surprise the bank’s fraud department called him the next day that $142.00 was spent at a restaurant in City Island, New York. He then checked his wallet and realized he didn’t have the card. This individual was not charged for the diner, but no investigation was done either, as there was not enough evidence to suspect the salesman. In general, no investigation would be done since the amount was considered minimal. This is however a very common scenario and the criminals get away with not only the merchandise but no follow up is done to find them.

In a broader sense, credit card frauds can be the result of identity theft, which is criminalized everywhere around the world. Among all the ways employed by scammers to steal credit cards or their information, BIN (Bank Identification Number) attacks are the most complex ones. In these attacks, criminals try to generate many fraudulent credit card numbers on the basis of some actual and authentic numbers. BIN attack credit cards mostly affect businesses rather than individuals.

Let’s get into the details of BIN attack credit card fraud in order to understand the process and learn how to prevent it.

What are BINs?

BINs represent the first four to six digits appearing on a credit card. This set of integers exclusively represents and identifies the credit card with the issuer (financial institution).

BINs play an important role in authenticating the transaction by matching the information of issuer with the card used. The same number system is also employed on other different banking cards. It is also referred by the term “issuer identification number”. This system number was actually intended to limit the cases of identity theft and security breaches, but ironically criminals use this same number to carry out the credit card fraud.

How BIN Attacks Play Out

Generally, three steps are involved in any BIN attack credit card fraud.

  1. Generating Same BIN-Sequence Credit Card Numbers

Criminals use the immense power of technology and particularly, the Internet to instigate BIN attack fraud. They use software applications which generate random credit card numbers. However, BIN attackers don’t use these apps to produce simple random numbers. They use a genuine credit card number to churn some new numbers. The generated numbers have the same sequence of the actual number’s BIN.

  1. Short listing Through Matching Expiry Date

They scrutinize and shortlist the generated numbers by using them on websites of different online businesses. Scammers try all the generated numbers with same BIN sequence for the transactions involving very small amounts (usually less than $50) and expiry date of the original credit card used for the generation of multiple numbers with the same BIN sequence.

This testing is carried out because credit card numbers with same sequence are usually issued the same expiry date. Numbers matching the expiry date are then used in the final step of the theft.

  1. Employing the Numbers for Fraudulent Transactions

In the final stage of BIN attack credit card fraud, the shortlisted fake credit card numbers matching the same expiry date are tried on different online businesses for payments and purchases. Here, amount of money involved in the transactions go up to $10,000.

Scammers have already got succeeded when banks find out about the fraudulent transaction. Usually these transactions are reversed by the banks and merchants have to bear the brunt in terms of chargebacks.

Preventing BIN Attack Credit Card Frauds

Prevention of BIN attacks is tricky because online systems for transactions are still in their development phase and most of them are not robust enough to counter such attacks. For instance, banks employ fraud detection software applications to prevent credit card frauds. Algorithm of these software applications are only designed to check for unusual activity of an individual card.

But as we have learned, BIN attacks affect multiple cards and hence current fraud detection applications remain ineffective in preventing them.

What can be Done?

It has been mentioned that BIN attackers use software to carry out the scams. Therefore, to effectively counteract BIN frauds, software engineering has to be employed. Two approaches in software algorithm can be used to limit and prevent BIN attacks.

  • Implementing a code which can detect bin attack patterns by checking the number of transactions against a narrow range of card numbers within a short time period.
  • More effective algorithm will use predictive technique which can help in identifying the both testers (second step) and hitters (third step).

But still implementation of these customized software applications is not widespread. It will take time for small online ventures to put them into practice. Until then BIN attack credit card frauds will remain a cause of concern for online business owners.


Posted On December 2, 2017