PaySia Help Center

Advice and answers from the PaySia team
Other content
Latin American Market and Opportunities
Emerging markets are rising
Paysia helps the adult industry grow
Shopping Cart Integration Solutions
Chargeback Alert and Prevention Solutions
High-Risk Merchant Account Solutions
Comprehensive POS and Point of Sale Solution
ACH Check Payment Solution
Efficient and Secure Subscription Billing Solution
A Secure and Flexible Online Payment Solution for Global Merchants
How to connect your shopify store with paysia
First login to merchant account
Why is the registered address of the company rejected?
What is merchant underwriting?
Can a new company apply for PaySia?
How long does it take to apply for PaySia?
What do I need to prepare for applying for a PaySia account?
How do I get a PaySia account?
What is PaySia?
What Is Card Testing?
Help Center / 
Resources
 / 
What Is a BIN Attack?
Anti-fraud

What Is a BIN Attack?

The fraudster generates a large number of card numbers based on the card’s BIN, and use them to attempt purchases in hopes that some will go through.
Kerry Rice
Nov 19, 2022

What Is a BIN Attack?

The BIN, or the Bank Identification Number, is the first six digits on a credit card. These are always tied to its issuing institution – usually a bank. In a BIN attack, fraudsters use these six numbers to algorithmically try to generate all the other legitimate numbers, in the hopes of generating a usable card number.  

They then use them at various merchants to filter that list down to, essentially, whatever works. A brute force type of attack, it typically involves a large number of small transactions – as is typical in card testing.

These small transactions show up as various types of declines before they ultimately find any correct combinations – and potentially use them to discover even more. Because they only use card numbers, BIN attacks constitute card not present fraud.

How Does a BIN Attack Work?

Fraudsters conduct BIN attacks by generating hundreds of thousands of possible credit card numbers and testing them out.

  1. A fraudster looks up the BIN of the bank they will target. Ranging from four to six digits, this information is in the public domain and is thus easy to source.
  2. Using dedicated software such as an auto-dialer, they generate thousands, often tens of thousands, combinations of possible existing card numbers by this issuer.
  3. At this point, these credentials need to be tested. The fraudster identifies a suitable online shop or donation page.
  4. They start card testing by attempting a small payment with each generated card number.
  5. They keep track of the small percentage of card details that worked, which they are ready to use in earnest for their fraudulent pursuits.

Remember that the fraudster will start off with only six digits, yet there are many more card details required for a successful transaction. If those are entered erroneously, the transaction will decline.

This includes the CVV number, the expiration date, as well as likely address verification service (AVS) failures. Card testing transactions are executed remotely in a fast fashion, so distance checks should also be a hint as well as velocity alerts.

Fraudsters may use bad merchant accounts directly for this purpose, or more frequently involve multiple online stores and services during a BIN attack, as their attempts keep getting blocked at most outlets.

Who Does BIN Attack Fraud Target?

BIN attack frauds harm every single party that’s involved in a transaction, except the criminal. More specifically:

  1. Banking institutions: Successful BIN attacks can cost banks and other card issuers in funds, resources and reputation.
  2. Ecommerce merchants: Online shops and service providers also have a lot to lose from becoming the target of BIN attacks, including causing:
  3. Bank partnership issues as the bank identifies your store as one where cards are being tested and might choose not to work with you down the line.
  4. Reputational issues as the legitimate cardholder will see your shop’s name on their statement and associate it with fraud.
  5. Chargebacks: Depending on the particulars of the incident(s), you might have to pay the chargebacks out of pocket, instead of the card issuer.
  6. Payment gateways: Gateways involved in successful BIN attacks suffer reputational and possible financial damage, since they are expected to check various data points that would normally prevent BIN attacks from being successful. If you fail to catch such fairly rudimentary brute force attacks as a gateway, this is likely to be viewed by your partners and potential partners as evidence that you are not doing your job well.
  7. Customers: Any customer whose credit or debit card details are unfortunately involved in BIN attack fraud will have to first notice it and then spend time and effort informing the bank and going through the motions to get their money back. Contrary to some other types of fraud, such as card skimming, this is a type of attack which the cardholder has absolutely no control over, no matter how careful they are. As such, it can be even more frustrating.

How to Avoid BIN Attack Fraud

Depending on where you are in the payment landscape, a BIN attack will affect you differently.

Generally speaking, it’s a good idea to set up rules based on typical card testing behavior, including:

  • setting up blocks for card issuer and GeoIP differences
  • applying velocity checks on small transactions
  • flagging multitudes of declines as high risk

Like in all card testing schemes, BIN attackers will look for small transactions that are quick to confirm and if you offer anything of that type as a merchant, you are at higher risk of being exposed to a BIN attack.

However, most anti-fraud rules and practices will cover BIN attacks in one way or another. And, in this type of fraud, even if the criminal has the correct card combination, they still won’t know the cardholder’s name or billing address, as well as several other frequently requested bits of information.

Yet, one should remember that with time, online fraud becomes ever more sophisticated; it’s rightly been described as a cat and mouse game between fraudsters and fraud-fighting specialists.

Even if BIN attack fraud in particular is fairly easy to catch, online merchants and everyone who might accept card-not-present payments are well-advised to implement appropriate levels of fraud detection and prevention.

We work with dozens of Acquirer/PSP around the world to provide merchants with the best payment solutions.
All "logo" are trademarks owned or registered by the company behind them and may not be used without permission
PRODUCTS
Global PaymentShopping linkBillingPayment Method
INDUSTRY
E-commerceLogistics ExpressGovernmentInsuranceLocal lifeMedical Healthy
COMPANY
About usContact usCareers
RESOURCES
Help CenterAPI Portal NMBlogTerms & Policy
For the US: nib co is a Money Services Business (MSB) registered with the United States Financial Crimes Enforcement Agency (FinCen).For the HK: Wise international co limited is a technology company registered in HK.© Paysia is the website brand name of nib co and Wise international co limited.
Money Services BusinessFinCenMoney Transmitter