Dec 12, 2023
A little more than a year ago, an accountant in Fairlawn, New Jersey, experienced a rude awakening. Fraudsters targeted his website, running nearly 85,000 card transactions through his payment provider in just 15 minutes using a brute force method called an enumeration, or BIN, attack. Simply put, fraudsters were guessing card numbers, slamming them into his web site, and seeing if any came back as real cards. The accountant wasn’t even the target of the attack–he was simply a mechanism that these fraudsters were using to fish for real card numbers and their associated expiration dates. BIN attacks are on the rise, but it’s not fraudulent purchases that represent the only, or even biggest, threat. It’s the hidden costs that most issuers and card program managers don’t even know they’re bearing.
Harvesters and Users: What is BIN Attack?
There are two stages to every one of these attacks: harvesting and using. During a card harvesting enumeration attack, a fraudster finds an online merchant like our accountant friend in Fairlawn with less than perfect security that can be compromised. Then, thousands (or more) transactions with randomly generated card numbers are run through the site as quickly as possible. As mentioned earlier, during harvesting the merchant is being used as an unwitting accomplice in an attempt to find real cards and associated info. The relatively few card numbers that are harvested are typically sold on the dark web to users who then utilize them to order goods and services online, or to run them through fraudulent merchants they’ve set up to simply pocket the cash and run before the transactions are disputed and, potentially, law enforcement gets involved.
In the early days of ecommerce, BIN attacks were typically performed on cards where the card number and expiration date were known, but the 3-digit CVV2 was not. With only a thousand possible combinations, and online fraud controls only in their infancy, it didn’t take much to get a full set of card information. With the advent of more sophisticated processes and technology to combat fraud (matching billing and shipping addresses, same-card velocity controls, etc.), BIN attacks waned, but recently there has been a massive resurgence. What’s changed?
Digital Gaming and Marketplaces: The Unlikely Dens of Modern Card Fraud
One doesn’t have to look very far to know that the digital world has massively changed over the last decade. Whereas computer games used to be the domain of geekier among us (I include myself in that group), now almost everyone has an iPad or phone in their hands with a multitude of games on it–games that charge for goods and gadgets at prices as low as $.99 per purchase. Fraud fighters used to ignore such purchases, “I don’t care about ninety-nine cents, I care about ninety-nine dollars.” Yet, it’s precisely the low average ticket size combined with digital delivery that makes this arena so enticing for fraudsters - that and the facts that last year, 3.26 billion people worldwide played video games, and in the U.S. alone, consumers spent $55.5B in the space. When you hit those kinds of numbers in a relatively new space, fraudsters take notice.
Transaction Size Matters: Why Low-Dollar Transactions are So Enticing to Fraudsters
Getting card information is only valuable if you can monetize it. Go back 10 years, and trying to monetize a stolen card $.99 at a time was not lucrative. It took a lot to get a full card number, expiration date and CVV2, and every transaction was a chance to get caught. Now, some digital merchants no longer ask for a CVV2 in order to speed the transactions through. Those merchants lose chargeback rights, so if any issuer disputes a transaction, they would have to repay it. But every dispute/chargeback costs double-digit dollars, so issuers simply write off low-dollar fraud. The badly-behaved games and marketplaces boost their sales, give fraudsters an avenue to milk card issuers, and don’t have to pay the price.
Hidden Fraud: Where it Really Hurts
Now that some modern harvesters are no longer looking for CVV2s and only need card numbers and expiration dates, they just need to take educated guesses–a lot of educated guesses–and come out the other side with a handful of valid account information. For a card issuer or program manager, the fraud that is perpetrated with that account information is bad enough, but that’s not where the real cost is. Each of those guesses comes with a network cost and a processor cost. When you consider that for each card number harvested, there are thousands of invalid attempts trying to guess, the issuer or program manager is paying many times the actual fraud cost in fishing attempts associated with it. That ninety-nine cent transaction could actually represent ninety-nine dollars in cost–and issuers don’t even know they’re paying it.
Why is This Type of Fraud So Hard to Fight?
Once they have card numbers and expiration dates, fraudsters employ a variety of strategies to avoid being detected. It’s a simple equation: the longer they can go, the more money they can take. In some cases, they will go fast, draining as many cards as possible as quickly as possible. In others, they slow roll–many customers won’t even call to dispute a single $.99 transaction. It’s hard to catch them all–and you’ll never stop all fraud attacks, but you can minimize them. It takes a combination of intelligent systems and know-how.
The team at Qolo has built a number of fraud detection and prevention systems over the years, and we’ve put our knowledge to use building systems to combat this new type of fraud. The digital world is changing, and fraud prevention needs to change with it.