Fixing the gap:
The secret to fighting BIN attacks
Previous
Threatcasting
Next
CISO Lessons Learned
1. https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/large-enterprises/other/mastercard-fraud-watch-q2-2023-payments-risk-briefing.pdf�
See also: https://www.linkedin.com/posts/mastercard_mastercard-cyber-and-intelligence-activity-7170432229125373954-yAGk?utm_source=share&%C2%AEutm_medium=member_desktop
The net impact of these attacks for financial institutions goes beyond the immediate monetary loss.
The damage to their reputation and confidence with consumers can be devastating.
To understand how best to be proactive against these types of attacks, Mastercard has developed some basic guidelines to help issuers prepare:
Know
Recognize your cardholders’ spending patterns. Identifying where and how they tend to transact can help you bolster strategies for each of your portfolios — and distinguish good customers from bad actors.
Understand the capabilities of your fraud tools. Are your rules deployed in real time? Does your system protect all your authorizations? Defining these parameters ahead of time will help you mitigate attacks quickly.
Fortify
React
Educate
Know
Fortify
React
Educate
Design strategies that limit impact to legitimate cross-border traffic. In countries where fraud outnumbers genuine transactions, tailor your rules to account for regional fraud patterns (such as gas station fraud across a specific highway).
Regularly look for and address security weaknesses. For example, confirm that unsupported transactions are not approved and that the authorization request cryptogram is being validated and the application transaction counter is monitored.
Validate that your stand-in parameters align with your risk tolerance and appetite. Construct geo-controls to help govern authorizations during outages and network interruptions.
Know
Fortify
React
Educate
If you are attacked, find out how your institution detected the intrusion. If your cybersecurity system raised the alarm, your mitigation tools may already be targeting anomalous behavior. If, on the other hand, cardholders are contacting your call center, you need to determine the scope of the attack.
Be prepared to take immediate action. A successful attack can make your institution vulnerable to further breaches by the same crime ring.
Know
Fortify
React
Educate
Teach cardholders how to avoid becoming victims.
Encourage secure online behaviors and promote skepticism toward requests for personal information.
You’re enjoying a Saturday dinner with friends when your work phone rings. It’s your technology center manager, saying there’s been a flood of complaints about unauthorized transactions. Your stomach drops: Sounds like a mass fraud attack. You rush back to the office to help rescue your customers’ accounts.
For card professionals, such attacks are becoming a chronic headache.
In these fraud schemes, criminals, often using AI, try to guess valid credit card numbers, starting with a known bank identification number (BIN).
This sequence — the first six digits on a payment card — designates the issuer and may encode other account details, such as card type, level and location.
Once criminals discover or steal a working BIN, or a newly opened card number range...
1
They use random-number generators and algorithms to fill in the rest of the card number, expiration date and verification code, generating hundreds or thousands of fake accounts.
2
They then enlist bots to test the results — preferably on websites with weak security that won’t lock them out after multiple failed attempts.
3
Once they’ve landed on a valid number, fraudsters are free to spend until the cardholder or issuer freezes the account.
The nature of these attacks is changing, and the frequency is increasing.
As digital commerce flourished with the Covid-19 pandemic, it fueled the growth of what was once a niche criminal enterprise called Fraud as a Service (FaaS) — hackers helping clients commit cybertheft.
Criminals are using increasingly sophisticated methods to circumvent security tools and monitoring systems used by financial institutions.
Criminals can go on dark web marketplaces
to buy vulnerable card numbers and computer code that automates sophisticated mass attacks.
80%
By making it easy for criminals with little technical skill to probe thousands of sites at once for gaps in security,
and to pounce when they find one, FaaS has driven up BIN attacks by 80% around the world since 2020.1
The good news is that the more issuers, merchants and cardholders learn about BIN attacks, the harder it will be for fraudsters to pull them off — and the sooner you will be able to enjoy your weekend in peace.
Help is here
Mastercard Safety Net provides issuers a second line of defense against large-scale fraud. Safety Net, which stopped $20 billion in fraud last year, silently scans global authorization transactions for abnormal activity.
Along with the added protection of Safety Net, issuers can use Mastercard Threat Scan to identify vulnerabilities and gaps in their production authorization hosts, as fraudsters are constantly testing production authorization networks for weaknesses. It is estimated that 8% of all fraud losses globally are attributed to weaknesses in issuers’ authorization networks.
Safety Net stopped
$20B
in fraud last year
To learn more, visit Mastercard’s Security By Design resources page, where you will find videos on Safety Net and Threat Scan
Safety Net
Threat Scan
Lessons learned:
What can CISOs learn from nearly 15,000 breach events?
Know
Fortify
React
Educate
Recognize your cardholders’ spending patterns. Identifying where and how they tend to transact can help you bolster strategies for each of your portfolios — and distinguish good customers from bad actors.
Understand the capabilities of your fraud tools. Are your rules deployed in real time? Does your system protect all your authorizations? Defining these parameters ahead of time will help you mitigate attacks quickly.
Home
Threatcasting
Threatcasting
BIN attacks
BIN attacks
CISO Lessons
CISCO lessons
learned
Ransomware
Ransomware
The Trust Center
The Trust Center
Power of STEM
Power of STEM
Zero Trust
Zero trust
Zero Trust
Threatcasting
BIN Attacks
Ransomware
The Trust Center
Power of STEM
Threatcasting
BIN attacks
CISO Lessons