By Nicole Reyes, Director of Fraud Prevention, CO-OP Financial Services
When it comes to preventing card fraud, issuers need all the help they can get. Fortunately, credit unions have access to a variety of tools, resources and expertise in their fight against fraudsters’ ever-changing tactics, including “brute force” BIN attacks.
Card not present (CNP) fraud is the dominant type of payment fraud CO-OP is seeing among our credit union partners’ portfolios, comprising over 80% of fraud incidents across both debit and credit.
CO-OP credit unions are not alone. CNP fraud activity has rapidly increased/shifted industry-wide since the start of the pandemic. According to reporting from the FTC, credit card fraud has more than doubled from the first quarter of 2019 to the second quarter of 2021, after growing by just 27% between the first quarters of 2017 and 2019.
One key contributor to this rise has been the increasingly bold use of BIN attacks, one of the most common types of CNP fraud.
What are BIN attacks?
The first six digits of a credit or debit card number are collectively known as the Bank Identification Number (BIN), which is unique to a single issuer. In a BIN attack, a fraudster employs a sophisticated software program to target an entire BIN. The software randomly generates the remaining digits in various combinations, and then makes small online transactions to identify those account numbers associated with real, active cards. This randomized, sledgehammer approach is why BIN attacks are also known as “brute force” attacks.
The fraudsters often deploy a software algorithm to perform test runs on a single merchant at high velocity—as many as 5,000 attempts in just a few hours. The algorithm typically uses the same purchase amounts, expiration dates and CVV codes in various combinations.
Once the software hits upon a successful transaction, indicating that the randomized account number is associated with a valid card, the fraudster will attempt to rapidly use the card number at one or more online merchants, usually for larger amounts.
Why are BIN attacks so concerning?
BIN attacks are causing major headaches for issuers.
According to Rippleshot, “Financial institutions must absorb the cost of fraudulent charges from BIN attacks—both financially and in terms of operating and business costs. Financial institutions suffer fraud losses from compromised cards harvested during BIN attacks as well as the costs of chargebacks, call centers, and re-issuance. Furthermore, fraud damages a financial institution’s reputation, causes cardholder disruption and inconvenience, and losses in interchange revenues.”
Effective mitigation and prevention of such attacks can be expensive and resource intensive. Once an attack is identified, issuers must be able to access and analyze reams of transactional data, isolating critical details such as date, time, location, merchant codes and IP addresses in order to prevent further attacks on the BIN and minimize losses.
What can CUs do to prevent BIN attacks?
Fortunately, credit unions do have a few tools at their disposal to combat the rising threat of BIN attacks.
It starts with making it harder for the fraudsters to conduct their brute force attacks.
BIN attack software algorithms are designed to seek out patterns. By randomizing account numbers at issuance, it becomes more difficult for software programs to recognize such patterns and identify active accounts, even if a single account is successfully compromised.
Similarly, randomizing or staggering expiration date issuance makes it harder for fraudsters to match real account numbers with their associated expiration dates to complete an approved transaction.
Among proactive measures your credit union can take to prevent or limit damage from BIN attacks and other card fraud, we recommend enabling 3D Secure with one-time passcode (OTP), which provides an additional layer of security for online card transactions.
Active monitoring, such as trends in card transaction denials, is also crucial. Keep a sharp eye on any increases in denials due to invalid expiration dates or CVV codes within a short period of time. CVV codes are randomly generated and thus tend to be harder for software programs to identify, so any rapid increase in CVV code denials is indicative of a likely BIN attack.
You may also consider setting transaction limits on activity generated from certain foreign countries, as many BIN attacks come from outside the U.S. Similarly, you may wish to consider implementing a card rule to block transactions from identified fraudulent merchants.
Also, set up a rule to monitor transaction velocity per hour from legitimate merchants, and be prepared to block transactions when a defined threshold is reached, to provide time to investigate and minimize potential fraud losses.
Lastly, as with all types of fraud, member education is critical. Deputize your cardholders as members of your fraud prevention team, and regularly communicate the importance of security measures like OTP to help protect them.
When it comes to preventing BIN attacks, it’s all hands-on deck. Credit unions need to make the most of all the resources at their disposal to stem the rising tide of fraud.
CO-OP is excited to introduce COOPER Fraud Score, a dynamic, integrated, real-time machine learning score that increases accuracy to help your credit union react more quickly to fraud trends. COOPER Fraud Score supports the credit union’s bottom line by helping to reduce false positive ratios, fraud chargebacks, and fraud losses. To learn more about CO-OP’s fraud prevention solutions, including integrated scoring and decisioning, visit: co-opfs.org/Solutions/Protect/Integrated-Scoring-and-Decisioning