Understanding brute force BIN attacks

In an age where digital payments dominate and fraudsters grow more sophisticated by the day, brute force BIN attacks have emerged as a stealthy yet devastating threat to financial institutions and consumers alike. By exploiting weaknesses in payment processing systems, attackers systematically guess card details using known Bank Identification Numbers (BINs), resulting in unauthorized transactions, financial losses, and damaged reputations. As this type of fraud gains traction, it’s imperative for organizations to not only understand how these attacks work but to also adopt proactive strategies to stay ahead of them.

A brute-force BIN attack is a trial-and-error method used by fraudsters to obtain payment card information such as an account number, card expiration date, PIN, or Card Verification Value 2 (CVV2).

A brute force BIN attack typically begins with attempts to gain access to a merchant’s retail terminals or its website payment system using a malware installation, phishing scheme, or both. Once the hacker has gained access to the network, they can use the merchant’s terminal or online system to perform computer-generated test transactions until the hacker receives a valid authorization. These authorization requests can accumulate into the thousands in seconds. Using this authorization information, the criminal can then combine the valid card verification value, expiration date, and card numbers obtained via the brute force BIN attack to perform fraudulent card-not-present transactions via e-commerce, point-of-sale (POS) keyed, mail-order, or phone-order channels. They may also use it to create counterfeit cards for card-present POS or ATM transactions.

Review transaction data to identify any significant increases in the number of denials with the following response codes below from one or multiple merchants:

If on a single card you see multiple (often 100 or more) back-to-back denied transactions from the same merchant, it is likely that fraudsters have the card information and are attempting to acquire the three-digit CVV or CVV2 code via a CVV brute force BIN attack. (A few declines spread across a small quantity of card numbers does not indicate an attack.) If you see a series of single transactions from one merchant consisting of many sequential card numbers that generate declines for expired card/expiration mismatch and/or record/card not on file, your credit union has most likely identified a BIN attack. In this case, the fraudsters probably have your BIN number and are auto-generating sequential card numbers, attempting to find valid card numbers.

If you strongly suspect an attack, you should block all card numbers that received approvals. If the criminal has the approved valid card number, it is only a matter of time before they use it or sell it on the dark web. As a best practice, if there are no approvals observed, there is no need to reissue or attempt to shut cards down, as there is insufficient data known by the fraudsters to execute transactions successfully. Card issuers cannot stop the transaction attempts; however, most processors have strategies in place to levy denials based on standard parameter checks, global brute force strategies, and the ability to block the merchant, if needed. Reissuing a whole new BIN is not recommended due to the fact that BINs can easily be found, resulting in the fraudster’s system attacking the new BIN in the same fashion.

Brute force BIN attacks are random, and all card numbers are susceptible to future attacks at any point. It is up to each individual credit union to decide if reissuing cards is right for them. Please refer to your credit union’s reissue protocols related to attacks/breaches. For credit unions currently developing their reissue protocols, you may want to consider the following questions:

Reissue of a card or BIN does not guarantee mitigation of attacks. The BIN is publicly known information and once the hacker obtains the BIN, sequencing the lowest range to the maximum range is what they do to create the list of numbers they use in their attacks.

Credit unions should check database parameters to ensure they are reviewing CVV, CVV2, and expiration date fields, and all mismatches are set to decline. A common point of purchase (CPP) analysis on these trends is generally not necessary. This scheme’s intention is testing to identify valid card numbers for fraudulent use. It is highly unusual for a local common skimmer or merchant breach to be the source of card merchant testing and brute force BIN attacks.

It is also important to make sure you review your international blocking practice for high-risk countries. Ensure that strategies are in place for countries where there is little to no activity to help mitigate risk.

Consider contacting Mastercard at 888-240-0553 or Visa at 888-847-2488 to alert them to the merchants used for BIN attack testing. You may also file a network custom complaint form, available on the networks’ websites.

It is important to stay up to date with industry information. It is recommended that you search and partake in industry leaders’ educational offerings that provide information regarding attacks that impact financial institutions. You can find information from places like Visa, Mastercard, Discover, Accel, Association of Fraud Examiners (ACFE), ACAMS, Thomson Reuters, and others.

As BIN brute force attacks continue to evolve in scale and sophistication, organizations must shift from reactive to proactive defense strategies. This means investing in advanced fraud detection tools, fostering cross-industry collaboration, and educating stakeholders across the payments ecosystem. Combating this threat isn't just a technical challenge—it's a strategic imperative. By staying vigilant and adaptive, credit unions can not only safeguard their members and reputations, but also help raise the bar for security standards across the digital economy.