Credit Card Bin Attack Fraud
Since around April 2003, a new type of Internet-based credit card fraud has hit banks in Australasia. Traditionally credit card fraud is based around obtaining a single card by various means:
- Lost or stolen cards – using a card that has been lost or stolen
- Skimming – using a magnetic card reader to copy the genuine card details on to a blank card
- Dumpster diving – obtaining credit card receipts from rubbish bins and using the details to perpetrate fraudulent transactions.
Bin Attack Fraud
Now, fraudsters are using the Internet to access software such as Creditmaster that will allow them to generate new card numbers from an existing good one. These numbers are in sequence order within the same card number bin – the first 12 digits of the number. This is step one of the fraud.
Step two is to test these new card numbers at merchants’ Internet sites. By trying out all the new numbers with a transaction amount under fifty dollars and using the same expiry date as the original card they are recognising that cards in the same sequence are usually given the same expiry date. The numbers that prove to be successful are then used in step three.
The final step is to use the known good card numbers at different internet-based merchant sites to find a “hit”. This is a transaction or transactions with values between $500 and $10,000. Once banks detect that these are fraudulent transactions they reverse the transactions back to the merchant who ends up wearing the cost. These merchants tend to be IT/high tech companies in Asia, USA and Europe. There is no New Zealand-based fraud of this type so far.
Combating Bin Attack Fraud
Fraud Detection Software
Banks usually have fraud detection software in place trying to pick up this and all types of fraud. The problem is that most fraud detection software works by searching for transaction behaviour out of the ordinary for each card. Because bin attack fraud affects a range of cards current software is mostly ineffective in identifying particularly the bin attack testers.
There are two ways of detecting this type of fraud. The first is to use an algorithm to identify the bin attack patterns by looking at the number of transactions within a narrow card range over a short time interval. The advantage of this approach is that is quick to develop and implement. The disadvantages are that it is inflexible and may no longer work if fraudster behaviour changes and it will not pick up both testers and hits (the large dollar ones) at the same time.
The second approach is to use predictive modelling techniques to identify the fraudulent transactions. The advantages are that the methodology is inherently more flexible and will pick up both testers and hits at the same time and is likely to be more effective for longer. The disadvantage is that more work is required to implement this approach.