Skip to main content

Rise in BIN Attacks Lead List of Fraud Worries. Here’s How Your Credit Union Can Fight Back

It’s been a couple of tough years on the financial fraud fronti

Consider that e-commerce fraud reached $20 billion globally in 2021, representing 14% growth over the prior year. Meanwhile, friendly fraud rose by 45%, and total reported fraud has increased by 40%. 

According to a recent poll, 90% of surveyed consumers are concerned about banking or credit fraud as they move to the digital channel. They have good reason, as 42% have been notified of bank fraud on their account in the past year. 

Perhaps the most concerning trend for credit unions, however, is the rapid rise in BIN attacks, which have increased by 80% since 2020. 

6 smart strategies for preventing BIN attacks 

The first six to eight digits of a credit or debit card are known as the Bank Identification Number (BIN), which is unique to a single issuer. In a BIN attack, a fraudster targets an entire BIN by using a software program to randomly generate the remaining digits of the card number. They then make small online transactions to identify which of those randomly generated card numbers are associated with live, active accounts. Once real account numbers are identified, the fraudster will make a rapid series of larger purchases before moving on to the next account. 

BIN attacks, sometimes known as “brute force” attacks due to their broad scope and randomized nature, are a real challenge for credit unions and other issuers. Here are six smart strategies to help minimize losses and confound the fraudsters: 

A Deep Dive into EMV® 3-D Secure (with One-time Passcode) 

EMV® 3-D Secure (EMV 3DS) is a messaging protocol that enables the authentication of a cardholder during e-commerce transactions prior to authorization. When coupled with the additional protection of a one-time passcode (OTP), it is one of the best measures available to card issuers to help prevent major financial losses from BIN attacks.  

“3-D Secure” stands for “three domains secure,” representing the three participants in the transaction process: the merchant domain—where the purchase is being made; the network “interoperability” domain—i.e., the major card network, such as Mastercard or Visa; and the card issuer domain. 

EMV 3DS manages the liability for fraud between the merchant and issuer, and offers several powerful fraud prevention features, including risk scores and Co-op’s authentication rules. In addition, a unique Electronic Commerce Indicator (ECI) is included with each authentication transaction, helping to enhance Co-op’s fraud mitigation and decisioning as well as ensure the accuracy of chargeback rights. 

“With one-time passcode, the authentication process is very easy and frictionless for the cardholder,” said Salvador Santos, Protect Senior Product Manager, Co-op Solutions. “The benefits of this approach are many. It provides for a seamless and secure member experience, with less risk of card abandonment, resulting in more transactions being completed.” 

To provide maximum protection against BIN attacks and other types of e-commerce fraud, many credit unions are enabling the one-time passcode feature of EMV 3DS. The feature sends a randomized, single-use passcode via SMS to the mobile device on record in the member’s card account file as an additional form of authentication.  

If the EMV 3-D Secure fraud detection model determines that based on various factors, further verification is required at the point of purchase, the cardholder is asked to accept the receipt of a one-time passcode to protect their purchase. If they click to confirm, they will receive the code via a text message within seconds, right on their mobile device. 

They then enter the code to authenticate their transaction, the purchase is approved, and the cardholder is on their way! 

Because it allows for full BIN enrollment, all members are protected, without having to individually register for the service. EMV 3DS is a shared liability model between the merchant and issuer, so no one party is left holding the bag.  

Lastly, the EMV 3DS data model leverages up to 150 separate data points, providing credit unions with ongoing, data-driven security that is flexible enough to respond rapidly to changes in the e-commerce fraud environment. 

Co-op credit unions who have added one-time passcode to their existing EMV 3DS solution have seen a 60% decline in EMV 3DS fraud losses, and are seeing positive results in less than 30 days after implementing the one-time passcode feature. This solution enhancement is proving outstanding results in combatting e-commerce fraud. 

Payment fraud is on the rise, but credit unions have several tools at their disposal to stay one step ahead of the fraudsters. To effectively navigate and respond to today’s dynamic fraud environment, you need a multi-pronged strategy that is flexible and stays current with the latest trends. Co-op’s Fraud Prevention Consultants are here to help, by working with you to build and customize fraud strategies that include the optimal mix of multiple scoring solutions, including EMV® 3-D Secure including One-time passcode.  

For more information about EMV 3-D Secure with One-time Passcode, or Co-op’s Protect solutions, contact your Co-op Client Business Executive, call 800.782.9042 or email solutions@coop.org. And join our next live Fraud Buzz webinar, where we’ll unpack the latest consumer payment trends data, identify the top fraud trends impacting credit unions today, and share strategies you can implement to protect your members.