What Is a BIN Attack? Here’s What You Should Know About This New Type of Credit Card Fraud

Updated: Feb. 16, 2023

Sometimes credit card fraud looks like thousands of dollars charged to your account, and other times the purchases are minuscule. This may be the beginning of a BIN attack.

We generally know how to avoid online scams, and that there are some times we shouldn’t use our credit card, but it’s important to stay aware and informed because credit card hackers are always looking for the next con. Cybercrimes are becoming more prevalent than ever, and knowing these signs you’re about to be hacked is one way to protect yourself. A BIN attack is a new type of credit card fraud, and it works a bit differently than what you might be familiar with.

Here’s everything you need to know about BIN numbers, BIN attacks and how to protect yourself.

What does BIN mean?

BIN stands for Bank Identification Number, and it’s the first four to eight numbers of a credit card, debit card or gift card. “The BIN identifies the issuing bank,” explains Paul Bischoff, privacy advocate at Comparitech.

“Many consumers think that their card numbers are totally random, but that’s not actually the case,” explains Monica Eaton, Owner & Founder of Chargebacks911. “If you pull a credit card out of your wallet and look at it, the first number is probably 3 through 6, which are the numbers usually reserved for personal banking, payments and finance.”

What is a BIN attack?

In a BIN attack, a con artist makes a small purchase first. “A BIN attack is part of a larger threat vector called carding,” explains Tami Hudson, EVP & Cybersecurity Client Officer at Wells Fargo. “Carding is a web threat in which threat actors use parallel and multiple attempts to authorize stolen credit card credentials.”

BINs help issuing banks trace their cards. “Ideally, this also helps reduce financial crimes and fraudulent activities, such as identity theft, stolen cards and unauthorized charges, but the fraudsters are very clever,” Eaton says. “Because the BIN follows a certain numerical format, that necessarily means that some numbers will be more likely to appear in certain places than others.” Once a fraudster has figured out the BIN, he’s partway there and just needs to figure out the final numbers, expiration date and CVV number.

“They just keep generating card numbers until they find one that works,” Bischoff explains. “From there, the attacker will check whether the card is active and has any fraud protections by making small purchases, which is called card testing. Upon finding a vulnerable card, they can sell it on the dark web or use it to make fraudulent purchases.”

What do I do if I notice these fraudulent charges?

Fraud Alert Concept With Security Lock and fake credit cards on a computer keyboardronniechua/Getty Images

In order to notice fraudulent charges, you have to pay attention to your statements. We all know we should, yet most of us don’t take the time to do this vital practice. A BIN attack starts with a small charge which might be easily missed, so you have to look at each transaction.

“Monitor, monitor, monitor,” Hudson says. “Many threat actors will start an attack by making small purchase amounts as a teaser, and if these are unnoticed, they will graduate to more significant amount levels.”

Eaton says it’s important to notify your bank immediately, and it’s critical to have a sense of urgency about it, even if the fraudulent charge was only for five cents. “Once the fraudsters discover that they have a valid, usable card, they’re going to come back,” Eaton says. “There’s blood in the water. It’s going to escalate and it’s going to get worse.”

How can I protect myself from a BIN attack?

Hudson recommends setting up transaction alerts and notifications so you can identify suspicious activity as soon as possible. She also recommends setting up multi-factor authentication on your accounts which will require users to sign in with something they know (i.e. password) and something they have (i.e. mobile phone).

“Turn on transaction notifications even for small purchases over one cent,” Bischoff says, “And try to only use merchants that use the Verified by Visa (VBV) or Mastercard SecureCode (MCSC) features, which prompt the cardholder for a one-time password whenever their card is used at participating stores.”

If you’re shopping at stores you don’t fully trust, Bischoff recommends using temporary virtual credit card numbers that you can request from your issuing bank.