A recent fraud and security alert from Allied Solutions highlighted an emerging brute-force attack occurring on FIs nationwide due to card BIN numbers being issued in sequential order. Cyber criminals have determined that cards issued in sequential order are an easy entry point for brute-force attacks where fraudsters can steal card payment data. As reported in this alert, one financial institution stated a recent attack resulted in over $100,000 in losses. Here are the details to help your bank or credit union avoid this same fate!
How Does a Brute-Force Fraud Attack Work?
A brute-force attack is when a fraudster uses an auto-dialer to try to get the card numbers issued within your BIN. You will see attempted authorizations on card numbers not yet issued. These attempts will typically be on one merchant as they test cards to try to get authorizations. With a card number, fraudsters can perform unlimited guesses to find the card expiration date and other security layers to make the card usable. This impacts all card types including credit, debit, EMV or non-EMV, consumer or business accounts.
How to Get Ahead of Brute-Force Attacks
First, the critical action to avoid this issue is to find out if the card numbers in each BIN are being issued in sequential order or not. If they are not, you are still in good shape as there should be enough variation in the BIN numbers to make it too difficult for fraudsters to find an easy point of entry. If they are being issued in sequential order, have that stopped immediately. This is your critical first step.
Next, reach out to your card vendors and processors and alert them to your concerns so they can look for, and report back on, any significant increase in the number of denials from one or multiple merchants within a short time frame. Pay special attention to response code 077. This code means a card number has not yet been issued, but there are attempts to use it; this is a big red flag! Furthermore, this indicates a fraudster is using card numbers within your BIN range and testing them for fraudulent use. Another red flag would be incorrect card expiration date responses.
Here's Your Card Portfolio Protection Checklist
Confirm that card numbers are issued randomly and NOT in sequential order.
Watch for card attempts against a particular merchant with many transaction attempts. Especially if those attempts are with card numbers in sequential order.
Watch your card response and card denied reason codes closely for a non-matching account on your master card file, card-not-present transactions or by mail or phone, or brute-force attacks on card-present transactions.
Confirm you have blocked key-entered authorizations on card-present transactions. These can be part of an attack involving PIN attempts or authorizations at a point-of-sale terminal or ATM after a counterfeit card has been created.
Lastly, subscribe to Allied Solutions for on-going fraud risk alerts and continue to monitor the card BIN attacks and stay in contact with your card associations and processors to let them know what you are seeing.
— written by Ann Davidson, Vice President of Risk Consulting, Allied Solutions
Guest author bio
Ann Davidson is the Vice President of Risk Consulting at Allied Solutions and an industry-leading author and speaker on financial fraud. Ann has developed an impressive list of achievements and accreditation in the financial sector and contributes to numerous articles in accredited financial publications, and is the keynote speaker at hundreds of conferences and training seminars nationwide on a variety of risk management topics, such as consumer fraud, forgery, and scam prevention.