What is a BIN attack in credit card fraud? An overview of this threat.

Discovering unauthorized transactions on your credit card can be frustrating. Dealing with these charges and arranging for a new card isn't pleasant, either.

The reasons behind unauthorized charges on your credit card can differ, as there are several forms of credit card fraud.

We've seen various reports online and heard from readers experiencing unexpected charges on their accounts. In fact, some TPG staff members found surprise charges on their Bilt Mastercard® (check rates and fees).

These unauthorized charges are part of what is referred to as a BIN (bank identification number) attack. But what exactly does that mean? And how can you safeguard yourself? Let's delve deeper.

What is a BIN attack?

The first six digits of your credit card represent the bank identification number. A BIN attack employs brute-force techniques to guess a valid combination of credit card number, expiration date, and card verification value, or CVV number.

While an individual can guess one digit at a time, software can attempt thousands of combinations in just seconds. Once a valid number is identified, it can explore other similar variations and utilize those at online retailers, presuming that other cards share the same initial six digits.

Numerous attempts to make purchases are getting blocked without customers noticing any activity on their accounts. A representative from Wells Fargo, the issuer of the Bilt Mastercard, informed TPG that attempts from recognized merchants have impacted some customers.

Bilt released a statement confirming that these unauthorized transactions were the result of a BIN attack.

We have been alerted to a worldwide fraud network that has been conducting what are known as BIN attacks. Essentially, they exploit compromised merchants to randomly test millions of potential card numbers, focusing on a single card range at a time. While many of these card attempts are blocked (often without the customer's awareness), sometimes charges slip through. This has been occurring across various banks, and we know that some Wells Fargo Bilt cardholders have experienced fraudulent charges as a result.

Which types of cards are impacted by this?

Our investigation revealed that these recent attacks have impacted more than just the Bilt Mastercard. In fact, a BIN attack doesn't discriminate based on card type or require access to a company's software. It simply aims to find a successful combination of numbers for a transaction. Once it succeeds, fraudsters hope the affected cardholder will not notice until they can make further purchases or cash withdrawals.

Therefore, the bank that issues your credit card or the type of rewards your card offers is irrelevant. BIN attacks don't require infiltrating the bank's website or the loyalty program's site to be effective.

This highlights the necessity of routinely reviewing your credit card statements for any fraudulent charges. Doing so helps identify issues swiftly and curtails additional unauthorized transactions.

It's crucial to know whom to contact if you spot unauthorized charges on your credit card: the bank that issued it. For instance, if you notice fraud on your Marriott credit card, you should reach out to either Chase or American Express, depending on the issuer of your card, rather than calling Marriott's customer service.

In a similar vein, Bilt does not function as a credit card issuer and cannot provide you with a new credit card. You must contact your issuing bank—either Wells Fargo (for those who applied since applications opened to the general public in March 2022) or Evolve (for earlier applicants).

What steps can I take to safeguard myself against BIN attacks?

Ultimately, you can't prevent computer programs from attempting to guess credit card numbers. However, you can keep an eye on your accounts and protect your personal information to avoid other forms of credit card fraud.

If you're concerned that someone has your credit card number, you can temporarily lock your card to halt transactions. Keep in mind, though, this isn't a permanent fix. Certain transactions, such as recurring bill payments and refunds, will still be processed, which means a fraudster could try a refund to see if your card is still active. Furthermore, locking your card doesn't address the main issue: the possibility that someone else has access to your card number.

Therefore, if you find unauthorized charges on your account, it's crucial to obtain a new card with a different number. Call the number located on the back of your credit card or visit your bank's website directly—type the URL in your browser to avoid phishing attempts. Many banks provide alerts via email, app, phone, and text for suspicious transactions, so be sure you recognize what these notifications look like to discern which ones are genuine.

It's also essential to safeguard your credit card information by carefully assessing which websites you share your details with and being cautious about the links you click. Additionally, use strong passwords to further secure your information.

It's important to report any suspicious charges on your account promptly. Doing so quickly helps ensure you aren't held liable for those charges—another compelling reason to keep an eye on your credit cards regularly.

In summary

Several readers reached out to TPG to share their experiences with fraudulent attacks and unauthorized charges, inquiring about the situation. Unfortunately, this issue extends beyond just the Bilt Mastercard, so it's crucial to routinely check your accounts for signs of fraud. While you can't stop software from attempting to guess your credit card number, you can take measures to limit the potential damage and avoid further issues.