The Fight to Foil BIN Fraud
Authors: Rachel Eaker and Matty Pahren
Card fraud is on the rise. A report from Mastercard shows that card testing attempts, as a precursor to fraudulent transactions, has increased around 80% at a global level since the COVID-19 pandemic began in 2020. The Federal Trade Commission (FTC) reported that credit card that card fraud in the US is up by 14% in 2023 over the previous year for existing accounts. While fraud can take many different shapes, we focus on payment fraud for card in this blog post. Specifically, card-not-present (CNP) fraud is one of the most prevailing types of payment fraud seen across our clients, both domestically and internationally. Chief among the types of CNP fraud are BIN attacks. The Australian Payments Network reported that CNP fraud increased by 33.8% from the Australian fiscal year¹ (FY) 2022 to FY 2023.
BIN attacks are unique in this space as fraudsters are targeting whole segments of an issuer’s cards, rather than individual card numbers. This type of attack poses a major threat to issuers; they happen quickly, are hard to detect, and impact many customers at once.
¹ The Australian fiscal year begins July 1 and ends June 30 of the following calendar year
What is BIN fraud?
The Bank Identification Number (BIN) refers to the first six to eight digits of a credit card number. These digits indicate what bank and product type the card belongs to and is unique to the card issuer.
BIN fraud occurs when a fraudster gets hold of a valid BIN and then runs a script to generate the remaining card digits, as well as the expiration date and card verification value (CVV), in a brute force approach. Once a valid combination is identified, the attacker begins to test the card with small purchases before moving on to larger purchases.
The testing of cards may be accompanied by a large increase in internet transaction volume, as the attacker experiments with different card numbers and transaction amounts to identify which cards may be vulnerable to be exploited. Many of these test transactions are caught by issuers’ fraud defenses, but some may still slip through the cracks as fraudsters become increasingly sophisticated with their methods. When the script finds the right combination of information that breaks through existing fraud defenses, the fraudster will use that information for big money purchases at multiple merchants or sell the information to other bad actors.
Such attacks adversely affect all parties (with the exception of the bad actor) involved.
Why is BIN fraud a problem?
Financial institutions are usually on the hook for losses due to BIN attacks, from both an operational and business perspective. If they have fallen victim to a successful BIN attack, financial institutions will need to reissue cards, deal with chargebacks, and handle a much higher load on call centers, resulting in additional operational cost. Institutions also suffer from reputational damage, disturbance in the customer experience, and interchange loss when these attacks occur.
Once a BIN attack is identified, financial institutions work to contain the attack based on date and time, merchant, location, etc. to limit losses and preclude future attacks. However, it can be challenging to differentiate between a BIN attack and a legitimate batch process charge from a merchant. For example, many subscription service charges are batch processed during off-hours and can be charged to many customers within the same BIN just by chance. Issuers need to be able to differentiate these transactions from a true BIN attack so that they don’t shut down customers’ cards unnecessarily.
An additional complication in play when dealing with BIN attacks is that the best way for institutions to test their fraud algorithms is using confirmed BIN attacks. However, as mentioned above, BIN attacks can be hard to identify especially when many card testing transactions are caught by the rules already in place. Our experts at 2OS have experience navigating these difficulties and helping our clients implement stronger fraud rules to protect against further BIN attacks.
What can financial institutions do to protect against BIN fraud?
One of our international clients enlisted 2OS to help spot and stop BIN attacks. After analyzing the client’s data, 2OS identified four new fraud tagging rules that were effective in picking up previously undetected attacks while also minimizing the false positive rate. These rules were successful in helping our client:
(1) Stop attacks sooner
By adding rules specific to identifying BIN attacks, our team was able to help the client identify attacks more quickly than their current set of rules. This allowed the client to shut down and reissue cards associated with the attack before the attach got any larger and without overwhelming their call centers. BIN attacks can last for long periods of time if not caught early, so having rules that run at regular intervals and can catch attacks in progress are an important line of defense for financial institutions.
(2) Spot attacks across merchants
A characteristic of BIN attacks that makes them particularly hard to identify is that fraudsters typically test card numbers across several small merchants at one time. This requires financial institutions to be able to identify patterns across merchants. These patterns may be visible in the order cards are tested, the transaction amounts used, the timing of transactions, etc. Institutions need to have rules built that look at transaction level data using various cuts to identify such patterns before the fraudster’s testing is complete and they move on to bigger purchases.
(3) Detect complex fraud algorithms
As they have gotten more sophisticated, fraudsters have developed many algorithms that can be used to cycle through card numbers while testing. The complexity of these algorithms makes it hard to identify any simple pattern in transaction level data and requires creativity when establishing fraud rules. Using techniques such as Levenshtein distance² and observing the frequency with which certain digits appear in certain positions of card numbers used in a batch of transactions, we were able to assist our client in developing rules that would catch these more complex attacks.
² Levenshtein distance is also known as the edit distance. It measures the minimum number of one-character edits (e.g., substituting, inserting, or deleting characters) that are needed to convert one combination of characters into another combination. For example, the Levenshtein distance between “dog” and “frog” is 2, since there are at least two edits required:
1. dog → fog
2. fog → frog
(4) Mitigate false positives
False positives³ are a large risk associated with fraud detection in credit cards. Shutting down cards or engaging customers in fraud mitigation workflows for legitimate transactions poses real reputational risk to financial institutions. To avoid this, our rules work in conjunction with each other to accurately identify fraud instances without tagging a large number of valid transactions. Mitigating the risk of false positives allowed our clients to implement these rules with confidence while also saving them the operational expenses associated with rectifying actions taken on legitimate transactions.
³ Mistakenly labeling a non-fraudulent transaction as fraudulent
Want more information?
See our case study on the 2OS website.
Do you have questions? We’d love to answer them!
Contact the authors by email at:
Interested in 2OS insights?
Check out the 2OS Insights page, where 2OS has shared industry insights through white papers, case studies, and more!
