Recently, there have been reports from across the globe of banks being impacted by the ‘BIN Attack’. Where the attackers bruteforce a large number of randomly generated card numbers. There have been cases in the Arab World as well.

Although this is a very old form of attack since early 2000, but keeps on resurfacing. Following are some of the recent mentions in the news:

The attacks are the result of payment systems and relevant stakeholders, allowing the authorization of CNP transactions with a low value (1$ to 10$) payments with just a card number and expiry date.


The attacker (s) impersonate or breach merchant details and pose as seemingly legitimate online merchants (i.e., merchant spoofing). A merchant account may either be directly compromised or impersonated using fraudulent documentation. The attacker generates new credit card numbers with the same BIN sequence, utilizing existing genuine credit cards (based on algorithms). These are not merely randomly generated numbers. The tools equipped with algorithms are available online.

Fraudsters can submit a high number of low-value dollar transactions in rapid succession and execute the credit cards for fraudulent transactions using impersonated or breached merchant credentials. Once victimized banks issue reversals, the merchant in question is liable for chargebacks.

Such BIN attacks leverage a non-authorized payment approach which has been adopted by prominent businesses such as Uber, Paypal, Amazon. For convenience, a lot of information (such as credit card numbers, expiration dates are already stored), such that customers only need to enter card numbers without security code for small transactions.

For further details, click the download button below!