BIN Attacks can cost Irish Ecommerce Retailers thousands of euro in transactions fees.

In bricks and mortar retail, all business owners have to deal with the problem of shrinkage, which is their accountant’s polite phrase for loss of stock due to shoplifting. 

The new generation of ecommerce operators can rest easy knowing that Shrinkage is not a significant issue for them, however there are other dangers.  Namely Credit Card fraud. 

Dealing with fraudulent payments in an ecommerce environment is viewed by most experienced operators as a part of the landscape, yes, a horridly frustrating one but one that is here to stay.

Most operators and card processors have fraud prevention measures in place however a new angle of attack for fraudsters has been on the increase over the last year and traditional fraud prevention measures may not be enough.  Welcome to Brute Force Bin Attacks. 

A Bank Identification Number (BIN) number is the first six digits of a credit card number.  A Brute Force BIN Attack uses a real BIN in conjunction with malicious software to randomly generate the remaining card details.   These numbers are then tested via online payment forms (commonly ecommerce checkouts) with small amounts.  The successful attempts can then be used for more significant transactions (traditional fraud). Smaller fraudulent payments are much harder to spot on busier sites so these attacks can fly beneath the radar of ecommerce sites and payment processors alike. 

Traditionally card fraud cost a retailer via the chargeback from the bank that inevitably results when the victim of the fraud calls their credit card company and reports the purchase in question.  But BIN attacks generate transaction fees for retailers for the failed attempts and that is where the damage is done.  The eventual chargeback for successful attempts will be a tiny sum of money by comparison to the transaction fees generated for the failed attempts absorbed by the retailer.

Ecommerce operators are at risk of both inadvertently allowing these attacks to run unabated and equally card holders are unlikely to query a small spend on their card.

These attacks are challenging financial institutions across the globe and many card processors are passing the cost of these attacks directly to the retailer.  A recent email from Global Payments (the largest online payment processor in Ireland) has clearly stated that fees arising7 from these attacks will be passed directly to the client site responsible.

In the last year we, at Dmac Media Ltd, have dealt with two such attacks on our clients and although the attempts were closed down rapidly it still resulted in thousands of failed transactions and a bill for the client of close to €4000

A real concern arises when you consider that with the current pandemic restrictions and business supports from Government for ecommerce development there is a huge increase in retailers bringing their stores online for the first time.

Retailers with ecommerce platforms need to be aware of the potential cost of an unmitigated attack and implement security measures to prevent bill shock. 

Here are the top three ways to prevent an attack:

Strong Customer Authentication (SCA)
Ensure your payment process uses Strong Customer Authentication also known as 3D secure.  This adds an additional security step wherein the customers Card provider asks for an additional validation (commonly a code texted to the customers phone).  It provides greater confidence for your customer and crucially shifts the liability for chargebacks from you to the bank.   On its own SCA will not eliminate the risks completely but can reduce the level of fraud in general.

Captcha
We are all too familiar with the need to click on all the pictures with cars in it to proceed with even basic online process.  This is a form of test that is designed to tell the difference between a normal customer (Human) and software (Computer).  Whilst these can be cumbersome the most up to date Captcha’s are now able to look at a user’s behaviour on a website and decide if they need to take the Captcha test.  These newer forms (referred to invisible Captcha’s) minimise disruption to real customers whilst still preventing malicious software carrying out attempts.  (for us this has proven the most effective method to date)

Fraud Management products. 
Most payment processors offer fraud detection and prevention services at an additional cost. However, many new eCommerce platforms do not use them because of those additional costs.  Now, more than ever, the consequences of fraud can outweigh the relatively small additional monetary outlay. 

Our advice is to use all three preventative measures as they give you the best chance of avoiding not just BIN attacks but all manner of other fraudulent activities.  If you are unsure about whether you have some or all of these features, contact your eCommerce platform provider or your payment processor and they will tell you what steps you need to take.