Cyber-Criminals are Using 'BIN' Attacks for Card Fraud; Here's how to Stay Safe

Cybersecurity networks may be getting stronger, but cyber-criminals always seem to outpace that progress by coming up with more sophisticated tactics. The latest troubling trend to emerge in the space is the use of "BIN attacks" by cyber-criminals to target small businesses. This involves manipulating the Bank Identification Number (BIN) of credit cards, allowing fraudsters to test stolen card details through trial and error on unsuspecting e-commerce sites. This sophisticated cybercrime tactic not only poses financial threats to businesses but also leaves consumers questioning the security of their online transactions.

Behind the scenes of the 'BIN' attacks

In 2023 alone, payment card fraud amounted to a staggering $577 million, which was a concerning 16.5% increase from the previous year. The Commonwealth Bank, among others, found itself at the center of this storm when a Melbourne wholesaler faced a barrage of 13,500 declined e-commerce transactions in just one month. What initially seemed like a clerical error soon turned out to be a sophisticated cybercrime technique that put both businesses and consumers on edge.

Cyber-criminals start by obtaining the first six digits of a credit card, known as the Bank Identification Number (BIN). With this information, they employ trial-and-error methods to decipher valid combinations of card numbers, expiration dates, and security codes. The stolen card details are then tested through small transactions that are hardly noticed, to determine their validity. Once confirmed, fraudsters either sell the compromised card numbers or use them for more larger fraudulent transactions.

Customer accounts compromised

Bob Barrow and John Goodall, both Commonwealth Bank account holders, found themselves victims of unauthorized transactions. Despite never using their cards online, they were shocked to discover transactions on their accounts, leaving them with doubts about the safety of their financial information, even though the bank reimbursed them.

Contrary to popular belief, credit card numbers are not as random or infinite as consumers might think. With 16 digits on a card, removing the six-digit BIN leaves just 10 digits that adhere to a specific pattern. The relatively limited possibilities make it feasible for cyber-criminals to use automated systems to rapidly guess valid combinations, posing a significant challenge for traditional security measures.

Role of financial institutions and businesses

While the affected businesses call for tighter safety protocols, the responsibility is not solely on the banks. Financial institutions, often the victims themselves, issue cards but are not always the entities processing the transactions. The attacks highlight the need for a multi-layered defense, with businesses employing robust fraud protection tools and payment processors like Stripe and Square that prioritize online store security. This is needed since the aftermath of a BIN attack can be financially crippling for businesses.

Adapting to evolving threats

As cyberattacks become more sophisticated, businesses must adapt to protect themselves and their customers. Popular platforms like Stripe and Square can serve as valuable allies in the ongoing battle against cyber threats, providing an additional layer of defense for businesses and their customers.

In an era where convenience and speed define online transactions, the dark underbelly of cybercrime poses a persistent challenge. BIN attacks, with their focus on small businesses, remind us of the fragility of digital financial ecosystems. As businesses and financial institutions work to bolster their defenses, consumers are encouraged to remain vigilant and report any suspicious transactions promptly. The delicate balance between ease of use and security continues to be a tightrope walk in the digital age, with each innovation met by an equally cunning cyber threat.