BIN and Credit Card Testing Fraud

November 26, 2020

E-commerce fraud is on the rise especially since we entered into the Covid-19 pandemic.

Credit card testing and BIN attacks are greatly on the rise and can leave merchants having to pay the transaction fees incurred if their e-commerce website is hit with credit card testing. Card testing is common, but both of them are not always an easy form of fraud to spot because they usually take place in the middle of the night with automated bots when most e-commerce website owners are sleeping and not actively monitoring their website activities.

What is Credit Card Testing?

Credit card testing is when fraudsters obtain, steal, or purchase stolen credit card data. Of course, the credit card data is not any good if the fraudsters do not know which cards are still active. To see which credit card numbers are still active and have available credit they will test them on unsuspecting merchants’ e-commerce websites via their payment gateway and checkout pages.

Credit card testing is done by placing multiple small orders all at once—sometimes this can run in the hundreds of thousands of transactions within a very short time frame. Usually, the fraudsters deploy some type of bot to automate the process, and the transactions usually come from just a few similar IP addresses.

What is a BIN Attack?

A BIN attack involves using a known BIN (Bank Identification Number), and systematically generating and testing the remaining digits of a credit card number, usually deploying the use of a BOT as well. These numbers are usually tested by making small transactions of less than $1. Small credit card amounts are hard for fraud detection systems to detect, and most consumers do not even notice them. The valid numbers are then later used to make much larger transactions, with merchants and issuers bearing these losses.

T1 Payments strongly encourages merchants to use iSpyFraud to fight credit card testing, which is a value-added service that can be enabled via their NMI payment gateway.