BIN Attack
What Is a BIN Attack? Definition and How It Works
Definition
A BIN attack is a fraud technique in which attackers systematically generate and test card numbers within a specific Bank Identification Number range to identify valid card numbers, often targeting a single issuer's card portfolio.
How it works
A BIN (Bank Identification Number) is the first six to eight digits of a payment card number that identify the issuing bank, card network, card type, and product. In a BIN attack, fraudsters use the known BIN prefix to generate candidate card numbers by exhaustively or algorithmically varying the remaining digits, then test these candidates through authorisation attempts to find valid, active cards.
BIN attacks differ from standard card testing in their method: rather than testing a list of stolen card numbers of known validity, a BIN attack generates card number candidates systematically. This means the attacker does not need access to a card data breach, they only need a target BIN prefix, which is publicly derivable from any card issued by the target bank.
The attack typically runs automated authorisation requests at low values against multiple merchants simultaneously. Successful authorisations identify valid card numbers. Attackers then have confirmed card numbers that can be used for fraud or sold, without ever needing to physically obtain a card.
Issuers are the primary victims of BIN attacks, their cardholders end up with unauthorised charges. But merchants used as the testing platform bear the operational consequences: elevated decline rates, processing costs on thousands of failed attempts, and scheme monitoring consequences if the pattern triggers fraud monitoring programs.
Why it matters
Scheme monitoring consequences fall on the merchant: a BIN attack running through a merchant's checkout elevates authorisation-to-decline ratios and produces anomalous BIN concentration patterns that card scheme fraud monitoring programs flag. Even though the merchant is a victim, they absorb the scheme scrutiny.
Detection requires BIN-level velocity monitoring: standard card-level velocity rules miss BIN attacks because each card number in the attack may only appear once. Monitoring the authorisation attempt rate per BIN prefix, and flagging when a single BIN generates an abnormal volume of attempts, is the specific control required.
CAPTCHA and bot detection reduce attack surface: BIN attacks are typically bot-driven. Checkout-level bot detection (behavioural analysis, CAPTCHA on authorisation failures, headless browser detection) disrupts the automated testing infrastructure attackers rely on.
Processing costs accumulate rapidly: each authorisation attempt carries a processing fee. A BIN attack generating 100,000 attempts against a merchant's checkout creates significant processing cost exposure independent of any fraud loss.
With PXP
PXP's risk engine applies BIN-level velocity monitoring that detects abnormal authorisation attempt rates within specific BIN ranges. Automated blocking can be configured to fire when BIN-level thresholds are breached. PXP surfaces BIN attack patterns in its risk dashboard for investigation and rule refinement.
Frequently asked questions
What's the difference between a BIN attack and card testing?
Card testing validates a list of stolen card numbers of known origin. A BIN attack generates card number candidates algorithmically from a known BIN prefix, without requiring prior access to stolen card data. BIN attacks are harder to detect because they target a single issuer's card range with generated numbers rather than a distributed set of known stolen cards.
How do attackers know which BIN ranges to target?
BIN prefixes are partially public, the first six digits of any card identify the issuer, network, and card type. Attackers can derive BIN prefixes from any issued card. They may target BINs from issuers with weaker fraud detection, high-value card products (premium travel or corporate cards), or specific geographies based on known fraud market dynamics.
What is the impact on the issuer when their BIN range is attacked?
Cardholders in the targeted BIN range may experience unauthorised authorisation holds on their accounts as the attacker tests generated card numbers. Valid card numbers that are confirmed through the attack can be used for subsequent unauthorised purchases. Issuers may need to reissue cards in the affected range if the attack is extensive enough.
Can merchants prevent their checkout from being used in BIN attacks?
Complete prevention is not feasible, but the attack surface can be reduced significantly. CAPTCHA on checkout, rate limiting on authorisation attempts by IP and device, BIN-level velocity monitoring, and behavioural bot detection collectively raise the cost of running a BIN attack through a merchant's checkout to the point where attackers move to less-protected targets.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started