BIN attack fraud – what it is and why retailers should be wary

Retailers with online stores are being asked to look out for scammers who may be using their e-commerce facilities to test stolen card numbers. 

A BIN Attack involves a fraudster taking the first six numbers of a card (the Bank Identification Number or BIN) and then using software to automatically generate the remaining numbers and test these combinations to see which card numbers are correct and if the cards are active.  

This is usually done by making small transactions through an online store. Fraudsters can write programmes that run card numbers through the website, with multiple cards tested per second. The volume of cards being tested can range from a several a day to thousands of cards in a matter of hours. 

Charlotte Steiner, from Westpac’s Merchant Risk & Compliance team, says E-commerce is becoming one of the largest payment solutions in market today.  

“Fraudsters are increasingly finding new ways to carry out card-not-present fraud like BIN attacks, so it’s important that you know how to keep your business safe.”  

Here’s how to spot the signs of a BIN attack:  

• Multiple low dollar value transactions (the amounts may be unusual for your type of business).
• Multiple declines.
• Unusually high volumes of international cards.
• Large number of transactions being processed or attempted in a short period of time. These transactions tend to be within a few seconds of each other. 
• Card numbers being used repeatedly with variations in the security features (e.g. expiration date, card security code, and postal codes).
• The time of transaction may be unusual for your business, eg. early in the morning.

How a BIN attack could impact your business:   

• Reputation: when your merchant facility is used in a BIN attack, your store details will be visible to genuine cardholders impacted by the attack, as well as the issuing bank. If your business is associated with a fraud event, this can deter customers from purchasing on your website. 
• Financial: the cardholder’s bank may restrict purchases being made at your store. This means you could miss out on genuine orders from other customers who belong to the same bank.
• Operational: you will need to refund any fraudulent transactions that were accepted. 
• Suspension or full closure of your merchant facilities: depending on the nature and risk profile of the attack, your merchant bank may suspend or close your facility. 

Fraudsters don’t hesitate to strike twice.   

Steiner says a business recently experienced a BIN attack through their online shopping cart. Westpac requested the facility be suspended until the merchant could take preventive steps.

A month later the merchant requested to temporarily activate the facility in order to process the refunds from the previous BIN attack. The facility was opened for just one day before the fraudsters made another BIN attack. As a result, the facility has been closed permanently.  

Protect your business:  

• Enable 3D secure. This is an additional security layer for online credit and debit card transactions.
• Enable a CAPTCHA test to tell humans and bots apart. It’s easy for humans to solve, but not bots and other malicious software. See your gateway provider on how to enable this.  
• Use an e-Commerce gateway solution that’s PCI Compliant and a vendor that’s approved by your merchant bank. 
• Enable card security code verification. The transaction won’t proceed until the three digit security code on the back of the card has been entered into the merchant facility.
• Use a hosted e-commerce solution. This means the payment page is not hosted by the merchant and the payment page is redirected to gateway provider. 
• Talk to your gateway provider or merchant bank for more fraud prevention options, and tips to keep your business safe.
• Keep your contact details up to date with your merchant bank and gateway provider.  

What should I do in the event of a BIN attack?   

If you suspect that you have been a victim of a BIN attack, contact your gateway provider and merchant bank straight away. They will advise you on next steps. 

We also strongly recommend reporting the incident to the appropriate authorities. They’ll be able to provide advice and use the information to help prevent future attacks.  

– File a police report.  

– Report scams and fraud to Netsafe.   

Various types of frauds and scams are on the rise. To help New Zealanders stay safe, Westpac maintains a list of latest scams and frauds.

Things you should know. All intellectual property in this document, any trademarks or brands represented in this document or on systems, services and products described in this document are the property of Westpac. Nothing in this document will transfer or shall be deemed to transfer title to that intellectual property. The content of this document is intended for information purposes only and you should use your own judgment regarding how such information should be applied in your own business. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained in this document. We recommend you seek independent legal, financial and/or tax advice before acting or relying on any of the information in this document. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.