How can I prevent BIN attacks?

Fraud attacks

Fraud attacks, particularly enumeration fraud, involve attempts to submit payments with the intent of testing card account numbers or credentials. This type of fraud is also known as card testing attacks, where sequentially generated card numbers are tested, or BIN attacks, where multiple compromised card numbers associated with the same Bank Identification Number (BIN) are targeted.

Characteristics of enumeration fraud

Common patterns of enumeration fraud may include:

• $0 or low authorization amounts
• High refusal rates from issuers and/or RevenueProtect
• Increased authorization attempts using the same issuer BIN
• Randomly generated cardholder information
• A high number of authorization attempts in a short period

Note: These patterns are not always definitive indicators of fraud. We recommend that you review transactional activity thoroughly before implementing risk controls.

Impact of enumeration fraud

• Lower authorization rates due to high issuer decline rates
• Increased transaction fees from repeated declined transactions
• Additional fees from Visa or Mastercard for excessive retry attempts

How to prevent or alleviate the risk of enumeration fraud

The most effective way to prevent fraudsters from submitting fraudulent attempts, is to block them from accessing  your check-out domain in the first place. Many of our partners such as Salesforce, Adobe, Zuora, Recurly and Vtex, can help with this as they control your web portal.

Step 1: Investigate unusual activity

Start by investigating unusual activities, such as an increase in issuer refusal rates or payment attempts with $0 or very small amounts. It's important to confirm that these activities are fraudulent before taking action.

Step 2: Take Preventive Measures

If you confirm the transactions are fraudulent, take at least one of the following steps to prevent these attempts from reaching Adyen’s platform, and preferably all three for a limited timeframe. Involve your web-portal partner if applicable, as they can help implement the following measures:

Option 1: Set Velocity Thresholds

• Monitor the velocity of website visits for sudden spikes, which may indicate automated, scripted attacks.
• Establish thresholds for the number of visits within a specific timeframe.
• Monitor velocity based on various data points such as IP address, device, email, etc.

Option 2: Implement CAPTCHA Controls

• Use CAPTCHA to block bots and scripts from initiating automated transactions, such as limiting five authorizations from one IP address within a set timeframe.
• Track where IP addresses originate and block malicious ones.
• Ensure CAPTCHA validation is required for all requests that involve card validation or payments. Google offers solutions like reCAPTCHA Enterprise, reCAPTCHA v3, and reCAPTCHA v2.
• While effective, CAPTCHA may reduce conversion rates, so consider it a temporary measure to disable once the fraud attack subsides.

Option 3: Use a Web Application Firewall (WAF)

• A WAF can help detect and prevent botnet activity, leveraging tools like Network Intrusion Detection Systems (NIDS), rootkit detection, and anti-bot programs.
• Adjust firewall settings to limit page submissions and repeated actions on your website.
• Automatically block visitors from known malicious sources.
• Implement device fingerprinting with proxy piercing to detect multiple contacts from the same device and identify bots. Consider adding 3-D Secure authentication for additional protection.

Adyen's recommendations

We recommend reviewing these preventative measures before adjusting the platform's risk settings. Although we can assist in combating fraud, it's ideal to block these transactions before they reach our platform.

If fraudulent transactions still reach the platform, follow these steps:

1. Monitor for Signs of a Fraud Attack
   • Use the Risk & Dispute Management report in the Customer Area to watch for increases in issuer or risk refusals.
2. Temporarily Block Fraudulent BINs
   • Consider blocking the BINs that are being used by fraud actors during an attack.
3. Enable RevenueProtect Risk Rules
   • Set up the following rules with risk scores:
     • Card number chunk used more than X times within Y minutes
     • Mastercard or Visa card number used more than X times within Y days
     • Card/bank account number used more than X times within Y hours
     • Shopper email used more than X times within Y minutes
     • Shopper IP used more than X times within Y minutes
     • Shopper initiated transactions more than X times within Y days
4. Utilize Custom Risk Rules
   • Use custom rules in RevenueProtect (a Premium feature) to target specific fraud trends you have identified.

For more information on mitigating fraud with RevenueProtect, please visit our risk management page.