Understanding Velocity BIN Attacks and How to Address Them

It’s Friday night and you are enjoying your well-deserved, stress-free night when your work phone rings. It’s your call center manager informing you of a rise in complaints of unauthorized transactions—all at the same merchant. Goodbye stress-free weekend.

Your institution is likely experiencing a velocity BIN attack—a fraud pattern that most card fraud managers dread, but nonetheless should be prepared to address. Such attacks occur when multiple authorizations are generated over a short period of time.

These types of attacks can strike multiple PANs or a single PAN, are not exclusive to any entry mode or country, and can happen at any time. When occurring simultaneously in an excessive number of PANs, they are commonly referred to as BIN attacks.

A few years ago, most velocity attacks were perpetrated by fraudsters for probing or testing purposes. Fraudsters would attempt multiple low-value monetary authorizations seeking to detect an active account and decipher the CVC or Expiration Date values of a set of cards within a BIN range.

Today, such attacks can be more complex, making them difficult to spot. Fraudsters may attempt non-monetary authorizations or Account Status Inquiries (ASI) to determine if a card is active. Gone are the days where the fraud was attempted in a short period of time after a test transaction.

Today, fraudsters will attempt to exploit any weakness identified via testing. For example, a bank could experience a testing BIN attack in the first week of a month and a fraud attempt on the active cards a month later via a separate velocity attack.

Mastercard offers the following guidelines to help you prepare for and potentially reduce the adverse financial impact of velocity attacks.

Familiarize Yourself with Pertinent Information

Before constructing a fraud mitigation strategy, learn your cardholders’ spending patterns. Understanding where (countries, MCCs) and how (entry modes) your cardholders transact can help you fortify your strategies efficiently for each of your portfolios.

Know the capabilities of the fraud tools at your disposal to help mitigate velocity attacks. Are your rules deployed in real-time or is there a delay? Are your authorizations targeted by your tools? Do you have access to Mastercard Fraud Rules Manager?

Fortify Your Defenses

With many philosophies around optimal cross-border fraud prevention, the most important element is to have strategies in place.

A successful Card Not Present velocity attack in a Singaporean duty-free shop can be very frustrating to explain to your C-suite.

Set up a cadence to review your portfolios’ parameters to address possible gaps or weaknesses, such as confirming that unsupported transactions are not approved, the Authorization Request Cryptogram (ARQC) is being validated, and that the Application Transaction Counter is being monitored. It is very unlikely that the first transactions on multiple cards in a US issuer’s portfolio will be contactless transactions in South America, for instance.

Validate that your Stand-In parameters are aligned with your institution’s risk tolerance appetite. A best practice is to construct geo-controls within the Stand-In tool.

React when Attacked

Determine how your institution become aware of the attack. This information will help you discover if you are already targeting some of the pattern or if you will need to perform an analysis to determine the scope of the attack. Was the attack identified due to cases created by your system or by the cardholders contacting your call center?

Finally, be prepared to take immediate action in deploying fraud mitigation strategies to deter an attack. A financially successful attack can make your institution more vulnerable to further attacks by the same crime ring.

For additional technical recommendations please refer to Mastercard’s AN 1185–Issuer Fraud Management Best Practices.

Juan Funes is manager of Franchise Customer Engagement & Performance at Mastercard.