The Game of Luck — BIN Attack

Backspace Tech
4 min readApr 12, 2024

--

“A dangerous game of combination guesses”

OMG!!!

Eager to know what we are talking about?

It's none other than the under-the-radar threat, the BIN attack!

Let’s stare down the barrel!

Hold on!

Before we tackle the BIN attack head-on, let’s establish a solid foundation!

Bank identification number (BIN)

Bank Identification Number (BIN) is an initial set of 4 to 8 digits, on your credit, debit, and gift cards. It’s also referred to as the Issuer Identification Number (IIN).

Here’s a breakdown of BIN’s role:

Identification:

  • The BIN functions as a unique identifier, akin to a fingerprint, for your card. It distinguishes the financial institution responsible for issuing the card.

Payment Routing:

  • In transactional processes, the BIN plays a pivotal role. The payment system and network utilize the BIN to accurately route the payment to the appropriate financial institution for subsequent processing.

Verification and Completion:

  • Once the payment reaches the issuing institution identified by the BIN, the verification process begins. This might involve checking your account details and available funds. Finally, after everything checks out, the transaction is finalized.

In essence, the BIN acts as one of the entities behind to ensure that the payment goes smoothly. It helps the system identify the right bank, send the payment there, and get the necessary approvals before finalizing the transaction.

Purpose of BIN

Although often overlooked, these numbers carry crucial significance.

  • Primarily, it identifies the issuing bank/financial institution of the card.
  • Verify the location of the cardholder and match it with the individual attempting the payment.
  • Aid in the prevention and detection of financial crimes such as identity theft and unauthorized charges.
  • Act as a crucial tool for banks to safeguard against fraudulent activities.
  • Facilitate seamless reimbursements and reverse charges.

Laid the foundation, let’s head on to the battle!

BIN Attack

In a BIN attack, attackers leverage brute-force techniques. This means they automate the process of trying a vast number of possible combinations for a card number, expiration date, and Card Verification Value (CVV) in the hopes of discovering a valid card. Using botnets, the attackers can test hundreds or thousands of combinations very quickly.

Card Testing

Card testing, also known as carding, is the second step after a successful BIN attack. Once the attacker guesses a valid combination (card number, expiration date, and CVV), they need to verify if the card is active and has funds. They do this by making small test transactions. Often, these small charges are blocked by fraud detection systems without the cardholder’s knowledge. However, if a test transaction goes through, it means the attacker has a valid card they can exploit.

How does this work?

A go-to view:

Fraudster identifies the target bank’s BIN.

Fraudster generates thousands of possible card numbers

Fraudster selects an online shop or donation page.

Fraudster attempts small payments with generated card numbers.

Successful transaction?

↓ No → End (Try another card)

↓ Yes → Store card details for future fraudulent use

Uh oh!

Let’s uncover who’s on the menu!

Party and Impact

On Cardholder

  • They may face losses in terms of both time and money as they continuously engage in follow-ups with banks.
  • There’s a limitation on the threshold for filing disputes from the bank’s side.
  • There’s a potential risk of Account Takeover Fraud (ATO)
  • In the worst-case scenario, attackers could exploit the card for illegal activities, potentially leading to the loss of access to all their bank accounts.

On Banks/Financial institutions

  • Risk of reputational damage, resulting in the loss of cardholders’ trust.
  • There’s a surge in dispute filings from cardholders, adding to operational burdens and potentially straining customer relations further.
  • Increased Operational costs.

On Merchants

  • Risk of being classified as a high-risk merchant.
  • If even a small percentage of transactions (e.g., 5 out of 100) are flagged as BIN attack compliant, the Merchant ID (MID) will be swiftly blacklisted.
  • This blacklist status can lead to a loss of customers.

Ahem!

Doubtful about the gravity of this issue?

Here’s the answer:

The BIN attack alone contributes to a staggering 80% of credit card fraud.

But the BIN attack isn’t the sole threat to watch out for. Yet, its prevalence is soaring due to its relative ease and affordability compared to other fraudulent tactics. With most cardholders oblivious to or inadequately shielded against BIN attacks, it presents a lucrative opportunity for criminals to capitalize on.

To know more about the payment ecosystem, chargeback, and dispute nuances through delightful bytes of information, follow us on LinkedIn, Twitter, Facebook, and Threads.

P.S: What topic do you think we should explore next? Let us know in the comments.

--

--

Backspace Tech
Backspace Tech

Written by Backspace Tech

Backspace Tech offers Fintech-as-a-Service to automate,simplify, and disrupt the payment industry by handling chargeback requests through a plug-and-play model.