Credit Card Testing and BIN Attacks Rise During The Pandemic

Merchants Reporting Fraud Increases Since Covid-19 (1)

According to Nelson Report, eCommerce fraud reached $28.65 billion worldwide in 2019. America accounts for 33.6% of worldwide losses, making it the most e-commerce fraud in the world. However, the covid pandemic worsens this situation since many businesses have to sell their products online and have quickly become targets for fraudsters. The losses are projected to reach $38.5 billion in 2027.   

The most common form of e-commerce fraud is credit card testing and BIN attacks. When an e-commerce website becomes the victim of credit card testing, the merchant potentially has to pay the authorization fees incurred. It is sometimes difficult to spot credit card testing and bin attacks as the fraudsters use automated bots when the owners are not actively managing their transaction activities.  

Why do you need to be aware of credit card testing and bin attacks?

Image one day, you check the transactions activities on your site and see the tens to hundreds of thousands of authorizations. ‘Wonderful,’ you think. ‘My plan is working now.’ But, when you check the transactions more carefully, you realize that all transactions are small and come from one location. You know they are fraudulent.

So, what is credit card testing?

Fraudsters use card testing in an attempt to validate stolen, full of partial card data. First, fraudsters go to the dark web or spyware software to purchase or steal card details. However, they cannot determine which cards are still active, so they need to test these card numbers on unsuspecting merchant’s e-commerce websites via checkout pages and payment gateways. Then, with the numbers in hand, they will attempt multiple small purchases on your e-commerce site. Usually, the fraudsters use a bot to automate the process. Therefore, many transactions come from similar IP addresses within seconds.  

Furthermore, fraudsters usually steal cards, which have been canceled by banks and cardholders but still available for use. When fraudsters identify which card they can use, they will process more significant transactions or sell that card data on the dark web.  

What is a bin attack?

Fraudsters can use a known BIN (Bank Identification Number) to systematically test and generate the rest of a credit card number. They usually use a BOT to make a relatively small transaction on quality merchant sites, such as Amazon or eBay. Therefore, it is not easy to detect and notice them. The valid numbers are then being used for more significant transactions, which cost merchants and issuers losses.

Who is at risk?

Credit card testing and BIN attacks usually target small and medium businesses because they do not have or are not aware of the tools and technology to identify these frauds and protect themselves.

Startups and smaller businesses tend to be more vulnerable since they assume that they are too insignificant to hit the radars of the bad guys. Understanding this mindset, fraudsters usually target these types of organizations.

How can business protect themselves?

It’s complicated to identify and protect your business from credit card testing and BIN attacks. Usually, a business should apply fraud protection technology and gateway solutions together to mitigate potential fraud. However, there are some activities that merchants can do right now to protect their businesses:

  • Perform risk reviews: Merchants should implement continuous velocity checks and apply account authentication tools, such as CAPTCHA, to deter malicious activity.
  • Be proactive; identify abnormal transactions early on: merchants should check their daily transactions and inspect them. If they find a significant number of credit card declines, it’s a serious signal that fraudsters target their businesses. Therefore, merchants should use various velocity tools to track both transaction totals and other specific data elements (including IP address, email, etc.)
  • Using fraud protection tools: many tools can help you protect yourself from botnet attacks, such as firewalls, captcha, device fingerprinting with proxy piercing capabilities, velocity threshold, anomaly detection, time out of user detection, and guest checkouts. 

At IPP, we encourage merchants to use our payment gateways and technology to fight credit card testing, a value-added service that can be enabled via their payment gateway. Contact IPP today to receive free cost analysis to understand the options you can do to protect your business from credit card testing and bin attacks.