Top-Level Takeaways
-
Stolen Bank Identification Numbers allow hackers to systemically generate full card credentials to conduct fraudulent transactions.
-
In early 2021, Air Force FCU experienced a BIN attack that required quick work to manage.
When a consumer swipes, taps, or inserts a credit or debit card, the point of sale system scans the Bank Identification Number (BIN) typically the first four to six digits in the number that identifies the issuing institution recognizes the associated account, and submits a request to withdraw funds from the account to complete the transaction.
For fraudsters conducting BIN attacks, those digits are the key to unlocking hundreds or even thousands of dollars in fraudulent card transactions. After a fraudster obtains a BIN which they typically purchase in bulk from dark web sources that collect the numbers during card breaches they use software to systematically generate and test the missing numbers of an account.
“They don’t have the card or the full number,” says Cathy Miller, senior vice president and chief risk officer at Air Force Federal Credit Union ($558.1M, San Antonio, TX). “They just have a computer program.”
But those programs are powerful. Fraudsters test permutations of the card number at online retailers until they uncover the right one. They then do the same with the expiration date and CVV code until they have a non-present but working card.
From there, fraudsters move quickly, as Air Force FCU discovered earlier this year when it was hit with a BIN attack.
The BIN Attack
In late April 2021, transactions totaling close to six figures from the same retailer hit the credit union in nearly one fell swoop. Transaction data from Air Force FCU’s core provider indicated all the charges were card-not-present purchases, which tipped Miller off to the fraud.
The cooperative had to act quickly.
Because the retailer, which Miller declines to name, is a large, legitimate business, the credit union couldn’t simply cut off those transactions. However, during its due diligence, Air Force FCU learned the attack came from only one of the several networks through which it processes transactions, and it could shut off transactions from specific card networks.
“We made the decision to stop all transactions from that network for two days,” Miller says. “It stopped the fraud in its tracks and gave us enough time to figure out our next move.”
The credit union’s chief technology officer along with several risk employees began to thoroughly review Air Force FCU’s daily credit card transaction reports. A pattern soon emerged. Miller says her exceptions report often state card destroyed, card lost, card stolen, or wrong pin. Not this time.
“We saw was a huge pattern of card not found,” Miller says. “Plus, these were all from the same vendor and the impacted card numbers ran in a sequential order. It just wasn’t normal.”
“The fraudsters, however, had accurate card information so transactions were going through, putting the credit union on the hook for losses. And the hackers were sophisticated,” Miller says. “They used different names, different dollar amounts, and even different addresses not always in the United States.”
“People were really buying stuff,” Miller says. “It was going as far away as Colombia.”
The Response
Air Force FCU implemented immediate changes to its card numbering logic no longer would the same several digits appear for each card. By altering the pattern, the credit union hoped to make hacking more complicated. Additionally, the credit union reissued every card that was affected by the attack, but it did not reissue cards en masse.
“It’s a long process to reissue like that,” Miller says. “And it wasn’t going to stop the bleeding.”
The fact the dollar amounts tended to be small posed a challenge to identifying fraudulent charges. And because it was a well-known retailer, members weren’t always aware they were victims. Air Force FCU posted a message on its home banking platform asking members to review their statements carefully for suspicious activity. It did not name the retailer because the attack ultimately wasn’t the retailer’s fault. In fact, the retailer was helpful.
“When we contacted them, they were eager to help us stop the fraud,” Miller says.
Internally, three employees in the risk department started reviewing daily core and card processor reports looking for context clues for potential fraud. Of primary focus are those card not found transactions, especially sequential card numbers used in close succession.
The crook spends his whole day looking for ways in. We’re going to be behind the curve in trying to catch up, but we’ll do everything we can.
Looking forward, Air Force FCU hopes its risk review process will curb future fraudulent activity and is evolving its cybersecurity efforts, which include a new information security committee. Miller knows the battle is far from over, but that doesn’t mean it’s not worth the fight.
“The crook spends his whole day looking for ways in,” Miller says. “We’re going to be behind the curve in trying to catch up, but we’ll do everything we can.”