Protecting Your Business from BIN Attacks and Credit Card Fraud

If you see a customer messing up on a CVV code a few times, it's not big deal. They look in the wrong place on the card or hit the wrong key. It happens. But when it happens repeatedly and on multiple cards, it could be a very big deal. Especially if it’s for a small amount of money at an unusual time for your business. 

These are classic signs of credit card testing or a BIN attack, both of which are bad news for your eCommerce business. Unfortunately, they’re random, widespread, and growing. Card issuers have noted a significant resurgence of this activity in recent months. Fortunately, there are things you can do to protect your company, especially if you’re aware and on the lookout.

With a BIN attack, fraudsters have stolen or illegally purchased a list of partial credit card numbers. They have just the first six numbers of the card - the Bank Identification Number - and they are working to figure out the rest. Credit card testing is similar, but in these situations, the criminals already have the full numbers.

In either case, they’re working fast to figure out which cards are still active and can be used before the legitimate owners figure out they’ve been hacked or stolen and shut them down. They do this by running small transactions on unsuspecting merchants and those who are easy targets. Keep in mind, they’re not doing this on their own. It’s not like in the movies, where you see somebody sitting in a dark room typing away frantically. They’ve got software and bots churning through the numbers. They’re sometimes referred to as “Brute Force Attacks” with good reason. The fraudsters can be in and off using the cards for real purchases long before a merchant even realizes there’s a problem.

The real issues begin for the merchant once the bank has caught up with what’s going on. Even though it’s not your fault, you can still be penalized. In extreme cases, the bank may shut down the account of a merchant who has been attacked, either temporarily or permanently depending on the damage incurred. The merchant is also on the hook for returning any funds originated from the stolen cards. It’s generally small amounts we're talking about, but there’s still the hassle of cleaning up the mess. Reconciliation, projections, and other reporting may be thrown off as a result of the increase in false sales so it’s important to make sure your entire team is aware of the situation and you navigate accordingly.

The warning signs to watch out for include:

• Multiple low dollar value transactions, generally less than $1. These are just tests to see if the card will work. The big purchases will be made later.
• Multiple declines, often within seconds. The bots just keep churning through numbers.
• An unusually large number of transactions processed or attempted in a short period of time.
• The repeated use of a card number with variations in security features such as an expiration date, security code, or postal code.
• A large number of transactions at an unusual time for the business.
• Multiple transactions coming from the same IP address.

It’s good to know the warning signs and be ready to jump in if you see a problem, but there are some things you can do to discourage crooks. Keep in mind, they’re looking for an easy hit. If they think they won’t get far with you, they’ll move on.

You could turn the checkout process into a fortress, but that puts you at risk of damaging conversions or losing legitimate customers altogether who may become frustrated with the new extra steps. Think about that guy making a purchase on the go. He’s getting on an elevator or heading to the subway. If the internet or connection cuts out, a few seconds can make the difference between a successful sale and a lost customer. 

So, you want to keep the checkout process as frictionless as possible, but add in enough protection to discourage fraud. Some things to consider:

Have the form reset after a failed attempt. It doesn’t take long to refill it, but long enough if you’re trying to run thousands of cards. 

Use CAPTCHA to authenticate the user. Be cautious with this, however, as it can complicate the checkout process and lead to losing legitimate customers. Testing is encouraged on this one.

Add Velocity Monitoring. These types of tools can raise an alert when there are multiple attempts in a short amount of time from the same IP address. They work behind the scenes and won’t affect conversions upfront.

Limit the number of attempts from a single IP address. Allow for a few tries in case a legitimate customer makes a mistake on their entry or has a card rejected. But three to five attempts should be enough. Anything more than that should create a red flag.

A big part of protecting yourself is understanding and monitoring your business so you know what to expect. Keep an eye on your numbers, like daily sales volumes, peak shopping times, or other numbers that help you know and establish your business baselines. That way you’ll know more quickly if you spot an anomaly there’s a problem or more Business Tips, sign up for our newsletter