Increase in Bank Identification Number (BIN) credit card attacks on Irish retail sites
There has been a notable increase in BIN (Bank Identification Number) attacks on Irish ecommerce websites. The ‘charge back’ fees arising from these attacks, which can run into thousands of euro, are the responsibility of the retailer and will be passed directly to them. This is in addition to the loss of revenue from the fraudulent transaction.
According to Sligo based digital marketing agency, Dmac Media, most Irish retailers and card processors have some fraud prevention measures in place. However, many ecommerce retailers are not aware of a devious new method of attack for fraudsters that has been increasing rapidly over the last year. It is referred to in the industry as Brute Force Bin Attacks. Here is how it works.
A Bank Identification Number (BIN) number is the first six digits of a credit card number. A Brute Force BIN Attack uses a real BIN in conjunction with malicious software to randomly generate the remaining card details. These numbers are then tested via online payment forms (commonly ecommerce checkouts) with small amounts. The successful attempts can then be safely used for more significant fraudulent transactions. Smaller payments are much harder to spot on busier sites so these attacks can fly beneath the radar of ecommerce sites and payment processors alike.
Dave McEvoy from Dmac Media, a Sligo based digital marketing agency explains,
“Dealing with fraudulent payments in an ecommerce environment is part of the landscape. It is very frustrating but a problem that is here to stay. In the last year we have dealt with two such attacks and although the attempts were closed down rapidly each still resulted in many fraudulent transactions taking place. One client faced a bill of close to €4,000. Traditional fraud prevention measures will not be enough to guard against these new BIN attacks”.
The current pandemic restrictions and business supports from Government for ecommerce development has led to a huge increase in retailers bringing their stores online for the first time. Dmac Media has cautioned retailers with ecommerce platforms, new and established, to be aware of the potential cost of an unmitigated attack and implement security measures to prevent a shock bill. The digital agency advises the following top three ways to prevent an attack:
1.Ensure your payment process uses Strong Customer Authentication (SCA) also known as 3D secure. This adds an additional security step wherein the customers card provider asks for an additional validation (commonly a code texted to the customers phone). It provides greater confidence for your customer and crucially shifts the liability for chargebacks from you to the bank. On its own SCA will not eliminate the risks completely but can reduce the level of fraud.
2.Captcha is a second method. We are all too familiar with the need to click on all the pictures with cars in it to proceed with even basic online process. This is a form of test that is designed to tell the difference between a normal customer (Human) and software (Computer). Whilst these can be cumbersome the most up to date Captcha’s are now able to look at a user’s behaviour on a website and decide if they need to take the Captcha test. These newer forms (referred to invisible Captcha’s) minimise disruption to real customers whilst still preventing malicious software carrying out attempts
3.Fraud Management products. All payment processors (examples) offer fraud detection and prevention services at an additional cost.
Mr McEvoy adds,
“Many ecommerce platforms do not use fraud management products because of the additional cost. In our experience, now more than ever, the consequences of fraud can far outweigh the relatively small additional outlay. At Dmac Media we have found Captcha to be the most effective fraud prevention technology to date for our clients. Our advice is to use all three of these methods. This gives retailers the best chance of avoiding not just BIN attacks but also many other types of fraudulent activities.”
“Far better to be safe than be sorry.” He concluded