Ways to Fight Back Against BIN Attacks, Card Fraud

Credit card fraud has steadily increased over the past five years, according to the Federal Trade Commission. Reports of credit card fraud peaked at more than 118,000 reports in the second quarter of 2022. As e-commerce continues to gain traction with consumers and retailers alike, there is a growing number of fraudsters that target customers’ credit cards using their bank identification number (BIN).

BIN attacks occur when fraudsters run the first six digits of a credit card, which are specific to each card-issuing bank, through sophisticated software to methodically produce the remaining numbers, CCVs and expiration dates. They then test to determine which cards are active. These days, fraudsters are capable of developing programs that assess hundreds of card numbers a minute, making detection harder for both fraud systems and consumers.

BIN attacks are a major headache for banks that get stuck with both the financial and operating costs resulting from fraudulent charges. But it may take some time for compromised cards to get monetized, giving banks some leeway to avert more damage.

Compromised cards harvested from BIN attacks can cause significant fraud losses for banks, in the form of accumulating chargebacks, call centers and re-issuance expenses. Adding fuel to the fire, the ensuing cardholder disruption and friction can further damage a bank’s reputation and lead to losses in debit interchange revenues.

Banks are still at risk in the wake of a BIN attack, and should continue monitoring for suspicious activity by reviewing electronic transaction trails for important data like time stamps, geolocation and IP addresses. However, these corrective and protective measures can require costly resources that many banks cannot afford. When an institution comes under attack from fraudsters, manual and purely consultative solutions are a start but must do more.

Bolstering Against BIN Attacks
Luckily, there are efficient ways that banks can fight back against the fraudsters. Here are several tips on proactive monitoring strategies to stop or limit damage from BIN attacks and other card fraud.

  1. Randomize card account numbers and expiration dates.
  2. Set up card transaction limits and velocity rules.
  3. Think about placing risk controls and transaction limits in foreign countries. BIN attacks from tested transactions often originate outside the U.S. Banks should pay close attention to countries that appear in FinCEN advisories.
  4. Implement decision rules to bar transactions from fraudulent merchants to hinder card testing. Analyzing transaction data for suspicious patterns can reveal card testing. If for a legitimate merchant reaches a transaction threshold, the bank can include a rule to monitor transaction velocity per hour and restrict transactions when further investigation is necessary.
  5. Automate the monitoring of BINs and transactions with a system to mitigate and act against fraudulent credit card activity. This system should automatically identify whether your bank is a victim of a BIN attack, including repeated low-value transactions, high decline rates and a high volume of CCV errors.
  6. Take advantage of automated network surveillance to pinpoint both legitimate and fraudulent merchants involved in BIN attacks. This gives banks an opportunity to obstruct additional BIN attacks if other fraudulent merchants are caught during this process.
  7. Work with your vendor to deploy fraudster-level tools and strategies to detect and prevent BIN attacks. Vendors can offer a wide variety of solutions, including fraud score, compromise card detection, merchant type, merchant category code (MCC), geography, zip codes and device ID, among others.

Preventative measures that can immediately interrupt BIN attacks paired with automated monitoring and surveillance gives banks a way to stay ahead of suspicious activity and effectively identify compromised cards. Mitigation may not stop BIN attacks completely, but it can reduce the resulting financial and operating costs while reinforcing the bank’s fraud department resiliency against BIN attacks.

Fintech Lenders Under Fair Lending Scrutiny


One of the many concerns surrounding fintech lenders is that they are not as tightly regulated as traditional banks and are not bound as firmly by the provisions of the Fair Lending Act. The Federal Trade Commission has expressed concerns about many of the lending practices of fintech companies, saying in a recent statement that “the use of big data analytics to make predictions may exclude certain populations from the benefits society and markets have to offer.” Using big data to cherry pick loan candidates may be seen as discriminatory and could end up increasing regulatory scrutiny of fintech lenders as some see their underwriting practices as not being much different than redlining.

Gerron S. Levi, the director of policy and government affairs for the National Community Reinvestment Coalition, also expressed concerns about the practices of the fintech lenders in recent testimony before the House Subcommittee on Financial Institutions and Consumer Credit, telling legislators “We see echoes of the early days of the subprime mortgage boom, in which rapidly growing nonbank mortgage lenders innovated in the worst possible way by loosening credit standards, layering significant and multiple forms of risk, and causing financial harm to borrowers who could ill afford to repay the loans. If lightly regulated nonbank small business lenders, including fintech firms, are left unchecked, our fear is the impact may be the same: millions of small businesses stuck with exploding loans they can’t afford, and the American taxpayer left on the hook to clean up the mess.”

While the ability of fintech lenders to quickly process and fund loans may be seen as an improvement over the much slower process used by most banks, and is also seen by many as an opportunity to expand credit offerings to a wider percentage of the public, there are drawbacks. The algorithms that are used to find the very best borrowers would stand a good chance of being found to be discriminatory under the requirements of the Fair Lending Act. And some fintech lenders are targeting consumers with low or no FICO scores and charging extremely high-interest rates—which some regulators consider to be a form of predatory lending.

We already see the various regulatory agencies take a deeper look at the fintech lending industry. The Consumer Financial Protection Bureau in July entered into a consent order with Flourish, a fintech lender that the agency said had violated several regulations including the Consumer Financial Protection Act and the Fair Credit Reporting Act. The order required Flourish to deposit $1.93 million in an escrow account to repay customers, and the company was fined an additional $1.8 million.

The biggest problem facing fintech lenders is that most of them have not yet been all the way through a credit cycle, so we have no idea how they will react when an economic event causes liquidity to dry up. They do not have access to depository funding and rely on credit facilities, whole loan sales and securitizations to fund originations. These sources of financing have a tendency to evaporate when markets become volatile, and many fintech lenders could be forced to seek partnerships with other lenders or the banks themselves.

In many ways, that would be the perfect solution for this potential liquidity problem. Community and regional banks are very interested in adding new technology that will allow them to offer more online products and services as well as cut costs and speed up loan processing. Banks are actively looking to accomplish this by partnering with, or in some cases acquiring, fintech lenders. According to a recent survey conducted by the law firm Manatt, Phelps & Phillips, 88 percent of those surveyed think that in a decade the banking world will be one where traditional banks are partnering with fintech companies in a mostly collaborative environment

Fintech lenders choosing to partner with banks will come under closer regulatory scrutiny as their lending practices will have to be in line with the regulations under which banks operate. Regulators have also expressed growing concern about data security, and that will be a large issue that both the banks and fintech companies will have to address.

Regulatory challenges are going to continue to increase for fintech lenders. For many of them, the most practical course of action will be to partner with community and regional banks. For that to happen, however, their strategies and operations will have to be modified so the marketing programs and loan approval algorithms have no hint of discriminatory or predatory lending practices.

Check It Out: The FTC Zeroes in on Mobile Payments

3-29-13_Bryan_Cave.pngBanks have an important role to play in development of mobile banking and mobile payment technologies. Although nearly 45 percent of all mobile phone users have a smartphone, only 12 percent are using mobile devices to make payments, according to a new report from the Federal Trade Commission FTC). The primary reason for not using mobile payments is security concerns (42 percent). 

Currently, the Federal Trade Commission is leading the charge to explore the need for mobile payments regulation. For banks interested in mobile banking, its actions and publications are very instructive.

Over the last two years, the FTC’s actions include: bringing law enforcement actions, obtaining high-profile settlements with Google and Facebook and issuing policy reports for mobile businesses and policymakers.  Although financial institutions are not directly regulated by the FTC in this area, the FTC does regulate all other mobile providers including merchants, payment card networks and payment processors.  Further, the FTC will likely influence and coordinate with other regulators, particularly with respect to data security and privacy.

During a teleconference on February 1, 2013, discussing the FTC report, “Mobile Privacy Disclosures Building Trust through Transparency,” the outgoing FTC Chairman, Jon Leibowitz, called on the industry to adopt strong privacy and data security measures for mobile technologies or face increased regulation. Most recently, the FTC issued a Staff Report on March 8, 2013, entitled, “Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments,”which outlines a number of key concerns and recommendations for businesses implementing mobile payments:

  • develop clear policies for disputes for fraudulent or unauthorized mobile payments that address:
    • the confusing landscape for consumers when selecting a payment method since each product has a different means, as well as different levels of protection, for disputing payments;
    • the potential need to incorporate FTC Act and potential Consumer Financial Protection Bureau protections.  At this time, unless Regulation E applies to a payment method, Reg E type protections for fraudulent or unauthorized payments are offered on a contractual or voluntary basis only; and
    • mobile “cramming,” where companies place unauthorized charges on mobile phone bills.
  • adopt strong security measures throughout the mobile payment process to:
    • receive, transmit and store financial data using “end-to-end” encryption;
    • incorporate security measures such as dynamic data authentication and separate secure element storage of data to prevent hackers from accessing financial information on mobile devices;
    • comply with federal and state data security laws such as the FTC Safeguards Rule 16 C.F.R. § 314.1 et seq. and the FTC Act prohibition against unfair, deceptive and abusive practices;
    • require strong data security measures by all companies in the mobile payments chain; and
    • implement additional consumer security protections such as second level passwords  and a means to immediately disable apps if a phone is lost or stolen.
  • Implement “privacy by design” as set forth in the FTC’s report “Protecting Consumer Privacy in an Era of Rapid Change,”  including at a minimum:
    • strong privacy practices at every stage of product development covering:

      • reasonable security 
      • data collection limited to the context of consumer interaction with your business (e.g., no geo-location data unless needed)
    • simplified consumer choice:

      • allowing consumers to restrict unnecessary information disclosure
      • discouraging “pre-checked” boxes to obtain consumer consent for the use of data for non-processing purposes
    • transparency regarding data collection, storage and use to strengthen consumer trust.

To enable mobile to reach its full potential, financial institutions can play a lead role, including by responding to the FTC chairman’s call for industry self-regulation and the recommendations noted in the Staff Report.  Taking the security and privacy obligations that already exist under the Gramm-Leach-Bliley Act, with further guidance from sources like the FTC, financial institutions can move the industry forward by developing meaningful mobile disclosures and transparent privacy policies and practices and by requiring similar compliance of their mobile payment service providers.  

Banks should implement, and require their service providers to implement, data security safeguards for sensitive financial information at all segments of the payment chain and allocate responsibilities and liability among them. Banks should develop data breach response plans including notifications and consider purchasing cyber-security insurance.