BIN card fraud attacks on the rise in Jamaica

Banking experts are now warning of a rise in so-called BIN attacks in which hackers use computer programmes to essentially ‘guess’ the full card number, CVV code and other information linked to debt and credit cards.

As such, JMMB Bank, for instance, has urged its customers to ‘minimise’ the amount of cash in their card-linked bank accounts and to be alert to changes in their bank data.

JMMB Group has gone as far as to put together a video for customers to help than protect their holdings, the link to which was issued to accountholders via mass email on May 20.

BIN, or bank identification number, is the first six digits of a debit or credit card.

Utilising the bank identification, cyber thieves “attempt to guess a valid combination of the card number, expiration date and card verification value, or CVV number, all necessary components to execute a card transaction,” said the JMMB alert.

“Using a software program, fraudsters try thousands of those combinations in a matter of seconds. Once the program finds a number combination that works, it can try other (similar) variations and then use those at online merchants – assuming that other cards will have the same initial six digits.”

Since the ‘guesses’ made by the cyber thieves are often wrong, bank customers have been receiving ‘declined’ alerts for transactions they did not initiate. In such cases, the alerts are an indication that the attempted scam has failed.

“All brands of cards in the market space, both local and international, are susceptible to BIN attacks,” said Dane Nicholson, the Jamaica Bankers Association’s spokesman on fraud.

Companies using card services that permit internet transactions may have seen an uptick in complaints, he said.

Prior to JMMB’s circular, President and CEO of First Global Bank Radcliffe Daley also sent out a message to accountholders in mid-May, saying the bank had blocked an attempt to access customer cards, which occurred on May 8-9.

The bank launched an investigation, but in the meantime, Daley urged customers to be alert to activity on their accounts.

JMMB says customers should pay close attention to alerts regarding ‘successful’ transactions, and in cases where they did not initiate the transaction, those are a signal of a fraudulent breach and should be reported immediately to JMMB Bank, so that the card can be clocked or replaced.

In cases where the transaction has been declined, no report to the bank is required, it added.

First Global alerts

In the First Global Bank case, the bank told the Financial Gleaner that a number of its customers received account alerts between 6 p.m. on May 8 and 5 a.m. the next day. The bank said its security systems successfully blocked a series of attempted fraudulent transactions within the eleven-hour time block.

“Account alerts are generated for every transaction associated with First Global Bank accounts. This alert is evidence that our systems are performing as they should be, to protect our customers,” the bank said.

“Incidents of this nature are not unique to First Global Bank, nor are they unusual in the credit card industry. First Global Bank has mechanisms in place that detect and block these types of threats, and we do so with a high success rate.”

JMMB also said that its own review showed that BIN attacks on its customers have so far been unsuccessful.

Nicholson, who is also head of fraud prevention at National Commercial Bank Jamaica, says a BIN attack occurs when fraudsters use the first six digits of a card “to generate full card numbers using an algorithm, with the aim of generating legitimate card numbers”.

It’s also referred to as a ‘brute force’ attack, he said. Other descriptions used internationally are ‘credit card testing’ and ‘card not present’ attacks.

There appears to be limited data related to losses from BIN or card-not-present fraud, specifically, but in the United States the losses were estimated at US$8.75 billion last year and are projected at US$9.5 billion this year. In the United Kingdom, the losses were estimated at £452 million in 2020.

Otherwise, credit card testing/BIN is said to be one of the main elements of e-commerce fraud, which is on the rise internationally. In 2022, global online payment fraud linked to e-commerce doubled to US$41 billion and is projected to grow further to US$48 billion this year.

It’s estimated that upwards of a third of global e-commerce fraud occurs in the United States.

Nicholson explained that once the hackers successfully generate the card numbers, they are tested by attempting small transactions with various e-commerce merchants.

Around for decades

The transactions are generally done online, via telephone or mail order. One of the ways in which BIN attacks are classified or identified is through multiple small transactions emanating from a single point.

Nicholson said BIN fraud has been around for decades, but the frequency of attacks has increased since the coronavirus pandemic.

“Similar to the strategies employed in counterfeiting banknotes, fraudsters adopt related approaches to BIN attacks,” he said.

With expectation that the attacks will continue to proliferate, Nicholson said banks and merchants should add more layers to their security. The best containment measures, he added, include automation of the monitoring of BINs to identify high volumes of CVV/expiration date errors and repeated low-value or out-of-band transactions.

The banks should also “implement proper BIN management techniques by blocking unused account ranges; replace compromised/exposed card numbers once the number is valid, even if the transactions were unsuccessful; and implement Captcha on e-commerce platforms.”

Captcha – the feature which users are required to click to say ‘I’m not a robot’ – is a program designed to distinguish humans from machines or bots, and thwart automated extraction of data from websites.

In Jamaica, bank fraud is actually on the decline, but the central bank noted in its latest Financial Stability Report that internet-based fraud is on the rise and credit card fraud continues to proliferate.

For 2022, the Bank of Jamaica reported that banks lost $715 million to fraud, down from a high of $1.3 billion in 2019.

avia.collinder@gleanerjm.com