How Credit Unions Can Fight Back Against BIN Attacks

When it comes to preventing card fraud, issuers need all the help they can get. Fortunately, credit unions have access to a variety of tools, resources, and expertise in their fight against fraudsters’ ever-changing tactics.

Card not present (CNP) fraud is the dominant type of payment fraud that Strategic Link partner CO-OP Financial Services is seeing among its credit unions’ portfolios, comprising over 80% of fraud incidents across both debit and credit.

One key contributor to this rise has been the increasingly bold use of BIN attacks, one of the most common types of CNP fraud.

What are BIN attacks?

The first six digits of a credit or debit card number are collectively known as the Bank Identification Number (BIN), which is unique to a single issuer. In a BIN attack, a fraudster employs a sophisticated software program to target an entire BIN. The software randomly generates the remaining digits in various combinations, and then makes small online transactions to identify those account numbers associated with real, active cards. This randomized, sledgehammer approach is why BIN attacks are also known as “brute force” attacks.

The fraudsters often deploy a software algorithm to perform test runs on a single merchant at high velocity — as many as 5,000 attempts in just a few hours. The algorithm typically uses the same purchase amounts, expiration dates, and code verification values (CVV) in various combinations.

Once the software hits a successful transaction, indicating that the randomized account number is associated with a valid card, the fraudster will attempt to rapidly use the card number at one or more online merchants, usually for larger amounts.

What can credit unions do to prevent them?

Credit unions can use several tools and strategies to combat the rising threat of BIN attacks, starting with making it harder for the fraudsters to conduct their brute force attacks.

BIN attack software algorithms are designed to seek out patterns. By randomizing account numbers at issuance, it becomes more difficult for software programs to recognize such patterns and identify active accounts, even if a single account is successfully compromised.

Similarly, randomizing or staggering expiration date issuance makes it harder for fraudsters to match real account numbers with their associated expiration dates to complete an approved transaction.

Among proactive measures your credit union can take to prevent or limit damage from BIN attacks and other card fraud, CO-OP recommends enabling 3-D Secure with one-time passcode (OTP), which provides an additional layer of security for online card transactions.

Active monitoring of trends in card transaction denials is also crucial. Keep a sharp eye on any increases in denials due to invalid expiration dates or CVV codes within a short period. CVV codes are randomly generated and thus tend to be harder for software programs to identify, so any rapid increase in CVV code denials is indicative of a likely BIN attack.

Credit unions may also consider setting transaction limits on the activity generated from certain foreign countries, as many BIN attacks come from outside the U.S. Similarly, consider implementing a card rule to block transactions from identified fraudulent merchants.

Lastly, as with all types of fraud, member education is critical. Deputize your cardholders as members of your fraud prevention team, and regularly communicate the importance of security measures like OTP to help protect them.

Learn strategies for reimagining your services, operations, and business model at CO-OP’s upcoming THINK 22 conference, taking place May 2-6 in Chicago. Details about the conference and speakers are available online. To connect with CO-OP, please contact the Strategic Link team.


Posted in GoWest Solutions, Industry Insight.