In 2023, $677.5 million dollars was stolen through fraudulent card transactions, according to Australian Payments Network.
This is a statistic that should alarm every small business owner and specifically those who operate an online shop front.
Without the right cyber security measures in place, cyber criminals can start using your online store as part of their fraud campaign, costing you real payment transaction fees, not to mention the risk to your business reputation.
There are simple steps you can take to help prevent BIN attacks and keep your business cyber-safe.
Firstly, what is a BIN?
This has nothing to do with that little bin you have under the counter for rogue coffee cups and unwanted receipts. This is all to do with Bank Identification Numbers – BINs.
If you have a few different card types from the same bank (an everyday account card and a credit card, for example), you might have noticed the first four or six numbers are the same between the two cards. That number is unique to the bank and it indicates to the business you’re spending your money with what bank the card/account is from. We call it the Bank Identification Number or, for short, BIN.
Every financial institution will have its own digits and that will be printed on every single card they issue. The BIN is followed by a series of numbers, the ones you type in when you make a purchase online.
Okay, so what is a BIN attack?
A BIN attack is when cyber criminals steal BIN numbers and attempt to generate working cards by guessing the remaining card numbers. To check if these card numbers are linked to real cards, fraudsters will test them on the payment page of your online shop. A successful transaction means they have guessed the winning combination of numbers and can start making more fraudulent transactions.
Although every bank card has sixteen numbers, it can be relatively straightforward and fast for a cyber criminal to cycle through a list of numbers that follow the BIN in order to make enough correct guesses and find the live card numbers with accounts attached. Generating thousands of guesses and testing them is fairly easy for a cyber criminal thanks to the help of AI (artificial intelligence) and computer bots.
The cyber criminal might use the working card numbers to make transactions themselves, or on-sell them to other criminals.
Unfortunately, BIN attacks are happening in Australia and they’re increasing year on year. At the end of 2023, the ABC reported on a Melbourne-based business who had over 15,000 attempted transactions through their online shop in just two months.
Why are BIN attacks a risk for my small business?
BIN attacks pose two major risks to a small business.
Firstly, they can be costly. Depending on the contract with your payment gateway you might be charged for each attempted transaction. This expense can multiply quickly if you are hit with a large attack.
Secondly, they can be a serious reputation risk when victims start seeing your store charged on their credit card.
There can be multiple signs of a BIN attack. The things you need to look out for are:
- Lots of low-value transactions that might be unusual for your business
- Notifications your customer’s card has been declined multiple times
- Use of international cards (i.e. bank cards from countries outside of Australia)
- A spike in transactions (attempted and processed) in a short period of time
- The same card number being used for many transactions
- Strange transaction times outside of your normal customer behaviour i.e. 3am in the morning, for example, when all of your normal transactions generally take place between 12pm and 11pm.
- An unusually significant increase in transaction fees from your bank
Final watch-out
The final thing to watch out for is an unusual spike in customers disputing payments. If a group of customers all notice their cards have been successfully used on your website, they may contact you and/or their bank to dispute the payment as fraudulent and process a refund or chargeback.
This means you’ll have to deal with both the BIN attack and the time and money dealing with each individual customer.
What makes my business vulnerable to this type of attack? How can I prevent it?
Any small business with an online presence that accepts payments over the internet is ultimately at risk.
The best thing you can do is to set yourself up with a payment processor that can identify these types of attacks.
When you’re searching for this type of service for your online shop, make sure to read through what they offer in regard to fraud prevention.
Some processors may offer multiple additional layers of protection such as requiring a customer to type in a CAPTCHA, 3D Secure and a ‘rate limit’ that you can easily implement on your website.
Check transactions are real and not robot
This means a genuine customer can make their purchase but a scammer using software to test various credit card numbers may not be able to get through. Adding a CAPTCHA is one way to do this.
Limit transactions and set alarms for large transaction volumes
A rate limit prevents the number of new customers who can be created from a single internet address in one day. If you’re a small business where a customer only places one or two orders, a rate limit is a sensible option and won’t impact your genuine customers. What it will do is ensure a scammer can’t process hundreds or thousands of purchases through your website.
Turn on a virtual alarm for online payments
Are you familiar with multi-factor authentication for your online accounts? When you try to login, you might have to enter a code or one-time password to double check it’s you. Businesses can do the same for online payments! Its official name is 3D Secure (3DS) but it works quite simply —when a customer’s card is attempted to be charged, they’ll have to verify they’re trying to make a payment. Think of it like turning on a virtual alarm to online payments.
How do I stop a BIN attack? Who do I report this to?
- If the attack is ongoing, consider closing your online shop temporarily.
- Contact your bank’s fraud team immediately. They will advise you on next steps.
- Contact your payment processor (if it’s separate to your bank).
- Report the BIN attack to the police and the National Anti-Scams Centre by making a single report at ScamWatch
Help protect your small business from scams and hackers with free and simple cyber security training