Online businesses are suffering from fraudulent attacks that can result in financial loss and reputational damage. We’d like to show you some steps you can take today at little to no cost to help reduce the financial and reputational impact of BIN (Bank Identification Number) attacks.

What is a BIN attack

A BIN attack, also known as card testing, happens when a fraudster attempts to determine if stolen card information can be used to make purchases. BIN attacks are common across online commerce. At NAB, we’re constantly improving our tools and systems to detect and reduce fraud, but it’s important our customers also remain alert about fraud.

A BIN attack occurs through automated scripts or ‘bots’ that fraudsters use to look for vulnerable websites to test. You can prevent these attacks using effective solutions such as risk management tools, CAPTCHA and implementing 3D-Secure.

Ways to spot a BIN attack

There are number of ways to identify a BIN attack, including:

  • A considerable number of low value or similar value transactions attempted in a short period of time
  • Multiple declines
  • A large volume of international card transactions
  • Attempts made using similar card numbers where only the final 4 to 6 digits vary
  • Unusual timing of the transactions for your business (usually in the early hours of the morning).

What to do if you've had a BIN attack

If your NAB Transact facility is being targeted by card testers, you should contact the NAB Fraud Team on 1300 622 372 (then select Option 3). The team is available 8:30am – 5:00pm (AEST), 7 days a week. Be sure to contact the team as soon as possible if you think fraudulent activity has occurred.

Card testing has many negative effects on your business, including:

  • Increased disputes or chargebacks
  • Higher decline rates
  • Additional fees
  • Reputational impacts.

The 3 Steps for Prevention

Card testers employ a wide variety of techniques to make their fraudulent activity difficult to block. As a result, simple firewall rules or filters can’t always prevent card testing on their own. We recommend you employ a mix of rules and regularly review these settings to ensure your customers are not impacted.

We suggest you employ the following fraud prevention steps to help protect your business. 

  1 2 3  
Risk Management
Google recaptcha
$5.50 monthly fee $0.05 per authorization
Available to
NAB transact merchants
All merchants
NAB transact merchants

Step 1 use risk management tools

Risk management tools in NAB Transact offers ways to exclude fraudulent transactions using a set of customisable rules that you can tailor to protect your business and your customers.

NAB Transact offers a free fraud management service that is readily available to NAB Transact merchants. The tool offers velocity rules and whitelist/blacklist rules that are easily customisable.

How do i enable risk management?

  1. Log into NAB Transact.
  2. Select the Product Administration column.
  3. Tap Risk Management Settings on the home page of your NAB Transact Portal.
  4. On the new page, select Change Settings and tick enable where required.
  5. Make sure to tap save once you are done.

The settings that you choose here can be set to suit your business needs. The most effective settings to combat BIN attacks are:


It’s important to review these settings regularly to make sure that they’re still preventing BIN attacks.

If you need assistance with setting up Risk Management tools, contact the NAB Transact Team.

What does my web developer need to do?

For merchants that use a Direct Post or XML/API. your webmaster will need to configure settings within your site to handle these risk management rules. Your developer will need to consult the integration guide for your website.

  1. Log into NAB Transact
  2. Select the Product Administration column
  3. Tap Risk Management Settings on the home page of your NAB transact portal.
  4. Download the integration guide relevant for your website
  Integration Guides for your developer    
Integration Guides for your developer
Document Tilte
Direct Post
Integration Guides for your developer
Integration Guide - Direct Post V2 for Payments
Integration Guides for your developer
Integration Guide - XML API for Payments

If your integration is a hosted payments page, you won’t need to make any changes.

Step 2 Add a Captcha

Card testers often use automated scripts that can be blocked using a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) , which works by observing behaviour on the website and distinguishing between a human and a bot. If it’s unsure, it poses a short challenge for the customer to complete.

The free Google reCAPTCHA  tool is effective for blocking card testing. It gives you the option of both visible and invisible CAPTCHAs, depending on your needs.

Any CAPTCHA solution can be implemented by your web developer.

What to do if you're still affected by card testing

If you’ve added a CAPTCHA to your integration but are still affected by card testing, please check the following:

  • Make sure the CAPTCHA requires validation on all requests that enable card validations or payments
  • Review the CAPTCHA’s documentation to make sure it has been implemented properly
  • If you’re using a CAPTCHA that provides a score, adjust the threshold at which you prevent requests from succeeding
  • Try a different CAPTCHA solution, such as switching from an invisible CAPTCHA to a visible CAPTCHA, or using a different CAPTCHA solution entirely.

Step 3 Enable EMV 3DS

If you use the NAB Transact payment gateway, you’ll have the added comfort of knowing that NAB Transact supports EMV 3DS. You can consult your web developer or e-commerce software provider to have your integration with NAB Transact upgraded to use EMV 3DS authentication.

EMV 3DS will make the issuer responsible for the chargeback liability on fraudulent transactions. Merchants remain liable for chargebacks related to goods and services, for example if the goods are not received.

For more information, check out Protecting your business online with EMV 3DS.

Important information