Digital payments are becoming increasingly prevalent, leading to constantly evolving risks to our financial systems. One such risk is a fraud known as a Bank Identification Number (BIN) attack. This type of attack uses the infrastructure of payment networks to facilitate automated fraud. Fraudsters generate credit card data in bulk by exploiting card issuer BIN number sequences to access funds.

In this post, we'll dive into the mechanisms of BIN attacks and describe how fraudsters have weaponized random number generators against payment systems. More importantly, we'll highlight the fraud prevention measures businesses can enact right now to protect their systems.

What Is a BIN Attack?

A BIN attack is a form of payment fraud that exploits the configuration of credit card numbers to guess active numbers. This attack involves generating card data using issuer BIN number sequences, allowing fraudsters to make multiple small transaction attempts in search of successes that add up to more significant profits.

To understand how BIN attacks work, we must examine the different digits in card numbers.

Any credit card's first six digits (or eight digits for newer cards) are known as the Bank Identification Number (BIN). These identify the issuing bank and payment network, such as Visa or Mastercard.

The following nine or seven digits constitute the individual account identifier.

The final digit is a check number calculated using the Luhn algorithm to validate the credit card number. This algorithm is a simple check digit formula that applies a series of mathematical operations to the digits of the credit card number to determine if it's valid. This method protects against accidental errors and typos rather than deterring malicious attacks.

Unlike card cracking, where a stolen list of valid credit cards is used, BIN attacks use automated bots and scripts to generate countless payment card numbers randomly, iterating through valid BINs and trying random account digits. These bots also attempt to bypass security controls, such as verification of payment card number checks. Fraudsters use brute force to attempt all possible combinations of numbers until they find a valid card number for making a purchase. Most guesses fail. However, with enough attempts, some small percentage of guesses will find active account numbers by chance.

Fraudsters then use these randomly discovered working numbers to place a high volume of small purchases from online merchants. When viewed individually, each transaction appears insignificant and legitimate.

Risks of BIN Attacks

BIN attacks pose significant risks to digital payment platforms and businesses accepting online transactions. These attacks are automated and highly scalable, meaning fraudsters can target multiple companies without much effort.

Because these attacks usually involve making small transactions, they are hard to detect by traditional fraud prevention systems that rely on anomaly detection. This aspect enables automated fraud to go undetected, flying under the radar. Fraudulent transactions can accumulate when repeated across numerous attempts and payment systems, making BIN attacks highly profitable for fraudsters, with minimal risk involved. As a result, businesses may only realize they've been targeted once significant damage has already occurred.

Additionally, BIN attacks can damage a business's reputation and customer relationships. If fraudsters use stolen credit cards to make purchases from legitimate merchants, those businesses may be held liable for the fraudulent transactions. This liability can lead to financial losses and loss of trust from customers who may view the company as insecure or unreliable.

Preventing and Defending Against BIN Attacks

Businesses can implement various fraud prevention measures to protect against BIN attacks. These include:

Additional Data Verification

BIN attacks generate card numbers at random without associated cardholder information. Adding checks for address, zip code, and CVV to the checkout process lets you double-check data consistency for signs of fraud. Most payment gateways allow configuring Address Verification Service (AVS) checks on orders to match billing locations.

Similarly, requiring the 3-4 digit card security code on the back of most cards can be an additional validation for authorized use. The more supplemental information you require beyond card numbers and expiration dates, the lower the chances that randomly guessed payment credentials will clear your payment screening.

Link Transactions to Devices

Use browser and device fingerprinting techniques and IP analysis to link transactions and payment attempts to the originating device. By establishing unique digital signatures for your users, you can better spot anomalous volumes of transactions from the same device. Additionally, deploying fingerprinting lets you flag the devices behind strange activity so you can blocklist suspicious connections that match the profile of an automated BIN attack.

Stop Automated Bots

Using CAPTCHAs or similar human-validation gates before payments can prevent bots from checking out with randomized card data. Adding this proof step to make transactions acts as a speed bump that thwarts automated testing of payment card credentials. Once you know the visitor is a bot, you can deny the transaction and flag the user.

Multi-Factor Authentication

Implementing multi-factor authentication (MFA) adds friction that deters fraudulent purchases. By requiring additional identity verification beyond static credentials like passwords, MFA significantly raises the barrier for criminals. Options like SMS token codes, biometrics, or authentication apps should be deployed wherever possible across checkout interfaces. The more layers of dynamic authorization are required, the more challenging brute-force access becomes.

Monitor Transaction Volume

BIN attacks rely on automated software to submit as many payment attempts as possible. By monitoring the volume and velocity of orders, businesses can set thresholds to detect anomalous patterns and potential brute force guessing. Analyzing the number of first-time cards used by a common BIN, the frequency of attempts on various account digits, and sales velocities by geolocation can provide monitoring that flags suspicious activity and prompts further investigation before order fulfillment.

How to Prevent BIN Attacks with Fingerprint

The primary strategies for preventing BIN attacks include verifying that your visitors are human to deter bots and linking transactions that appear unrelated but originate from the same device. Fingerprint's Device Intelligence Platform can help you do just that with 99.5% accurate visitor identification and Smart Signals that help you detect automated bots.

Fingerprint’s Visitor Identifier uses over 70 data inputs, advanced matching algorithms, and server-side techniques to create a unique visitor identifier consistent over months or years. This identifier enables you to link transactions from the same device rather than treating each transaction as an individual event. You can set thresholds and alerts for devices making an unusual number of transactions with various credit cards. This linking consistently identifies fraudster devices, preventing them from concealing their activities through anonymous guest checkouts.

To get a unique visitor identifier, start with the Fingerprint JavaScript agent to make an identification request:

// Initialize the agent.
const fpPromise = import("https://fpjscdn.net/v3/<your-public-api-key>").then(
  (FingerprintJS) =>
    FingerprintJS.load({
      endpoint: "https://metrics.yourdomain.com",
    })
);

// Make an identification request
const { requested, visitorId } = await (await fpPromise).get();

Once you have the visitor identifier, you can store it in your data storage and use it to monitor transactions at the device level:

const db = require("./database"); // Database connection setup.

async function checkTransaction(visitorId) {
  // Define the time frame for checking transactions, e.g., the past 24 hours, based on your use case.
  let timeFrameStart = `NOW() - INTERVAL '24 HOURS'`;

  // Query to check if the visitor ID has been used for transactions within the specified time frame.
  let query = `SELECT COUNT(*) AS transaction_count FROM transactions
               WHERE visitor_id = $1 AND transaction_date >= ${timeFrameStart}`;
  let result = await db.query(query, [visitorId]);

  // The transaction limit should be based on your business and typical transaction patterns.
  if (result.rows[0].transaction_count > 5) {
    // If more than five transactions are found within the time frame, handle them as potentially suspicious.
    flagSuspiciousActivity(visitorId);
    failLoginAttempt();
  } else {
    // Consider normal guest checkout if five or fewer transactions are found within the time frame.
    allowTransaction();
  }
}

Along with highly accurate visitor identification, you can also use Fingerprint to detect if your visitor is a bot. Our Smart Signals provides information on visitor behaviors, such as usage of a VPN, virtual machine, or a tampered browser. It also includes Bot Detection, which collects browser data that bots inadvertently leak when interacting with websites. This data contains errors, network overrides, browser attribute inconsistencies, API changes, and more. By analyzing this data on the server side, Fingerprint can determine if your visitors are human users or if they are headless browsers, automation tools, or bot derivatives.

Again, to determine if a visitor is a bot, start with an identification request using the Fingerprint JavaScript agent.

// Initialize the agent.
const fpPromise = import("https://fpjscdn.net/v3/<your-public-api-key>").then(
  (FingerprintJS) =>
    FingerprintJS.load({
      endpoint: "https://metrics.yourdomain.com",
    })
);

// Make an identification request
const { requested, visitorId } = await (await fpPromise).get();

This time, you will use the request ID with the Server API to get more details about the visitor. The response from the server, specifically in the products.botd.data object, will provide data showing if the visitor is a bot or a human.

{
  "products": {
    ...
    "botd": {
      "data": {
        "bot": {
          "result": "notDetected"
        },

        "url": "<https://www.example.com/login>",

        "ip": "61.127.217.15",

        "time": "2024-02-02T16:40:13Z"
      }
    }
    ...
  }
}

The returned object can have one of the following values:

• notDetected: No bot detected, and the visitor is a human.
• good: A bot was detected, but the bot is a well-known web crawler or search engine bot.
• bad: A bot that doesn't have legitimate uses and assumes fraudulent activity was detected.

Using this information, you can take appropriate action, either continuing the transaction, asking for more proof that they are human or card authorization validation, or blocking the transaction altogether.

Conclusion

While BIN attacks require multiple attempts with automated bots and scripts, they can pose significant risks to businesses, including financial losses and damage to their reputation. However, companies can protect themselves against BIN attacks and other payment fraud by implementing strong security measures, proving users are human, linking transactions, and monitoring their transaction patterns.

If you want to learn more about how Fingerprint can help you prevent BIN attacks and other forms of payment fraud, contact us or sign up for a free trial.