What is a BIN attack?

A BIN (Bank Identification Number) attack is when a fraudster attempts to determine if stolen card information can be used to make purchases. BIN attacks are common across online commerce. At NAB, we’re constantly improving our tools and systems to detect and reduce fraud, but it’s important our customers also remain alert about fraud.

A BIN attack occurs through automated scripts or ‘bots’ that fraudsters use to look for vulnerable websites to test. You can prevent these attacks using effective solutions such as risk management tools, CAPTCHA and implementing 3D-Secure.

Watch this video to learn more about the harmful effects of BIN attacks and what can be done about them.  View what are online BIN attacks video transcript (DOC, 15KB)

Negative effects of BIN attacks include

A BIN attack may mean the following for your business:

  • increased disputes or chargebacks
  • higher decline rates
  • additional fees
  • reputational impacts
  • regulatory fines.

Ways to spot a BIN attack

There are a number of ways to identify a BIN attack, including:

  • A considerable number of low value or similar value transactions attempted in a short period of time.
  • Multiple transaction declines. 
  • A large volume of international card transactions.
  • Attempts made using similar card numbers where only the final 4 to 6 digits vary.
  • Unusual timing of the transactions for your business (usually in the early hours of the morning).

What to do if you've had a BIN attack

If your NAB Transact facility is being targeted by fraudsters, you should contact the NAB Fraud Team on 1300 622 372 (then select Option 3). The team is available 8:30am to 5:00pm (AEST), 7 days a week. Be sure to contact the team as soon as possible if you think fraudulent activity has occurred.

Three steps to help prevent BIN attacks

Card testers employ a wide variety of techniques to make their fraudulent activity difficult to block. As a result, simple firewall rules or filters can’t always prevent card testing on their own. We recommend you employ a mix of rules and regularly review these settings to ensure your customers are not impacted.

We suggest you use the following fraud prevention steps to help protect your business. 

  Cost Integration Available to
Step 1: Risk Management
Available to
NAB merchants
Step 2: EMV 3DS
$5.50 monthly fee and $0.05 per authorisation
Available to
NAB merchants
Step 3: Captcha
Available to
All merchants

Step 1: Risk management tools

Risk management tools in NAB Transact offer ways to exclude fraudulent transactions using a set of customisable rules that you can tailor to protect your business and your customers.

NAB Transact offers a free fraud management service that is readily available to NAB Transact merchants. The tool offers velocity rules and whitelist/blacklist rules that are easily customisable. This service is available for NAB Transact customers using Hosted Payments Page, Direct Post and XML/API configurations.

How do I enable risk management?

  1. Log into NAB Transact.
  2. Under the Product Administration column, tap Risk Management Settings on the home page of your NAB Transact Portal.
  3. On the new page, select Change Settings and tick enable where required.
  4. Make sure to tap Save once you’re done.

The settings that you choose here can be set to suit your business needs. The most effective settings to combat BIN attacks are:

It’s important to review these settings regularly to make sure that they’re still preventing BIN attacks.

If you need assistance with setting up Risk Management tools, contact the NAB Transact Team on 1300 369 852, Option 3.

What does my web developer need to do?

For merchants that use a Direct Post or XML/API, your webmaster will need to configure settings within your site to handle these risk management rules. Your developer will need to consult the integration guide for your website. If your integration is a Hosted Payments Page, you won’t need to make any changes.

  1. Log into NAB Transact.
  2. Select the Product Administration column.
  3. Tap Risk Management Settings on the home page of your NAB transact portal.
  4. Download the integration guide relevant for your website.

Integration guides for your developer

  Document Title Section Page
Direct Post Integration
Document Title
Integration Guide - Direct Post V2 for Payments
XML/API Integration
Document Title
Integration Guide - XML API for Payments

Step 2: Enable EMV 3DS

If you use the NAB Transact payment gateway, you’ll have the added comfort of knowing that NAB Transact supports EMV 3DS. You can consult your web developer or e-commerce software provider to have your integration with NAB Transact upgraded to use EMV 3DS authentication.

EMV 3DS will make the issuer responsible for the chargeback liability on fraudulent transactions. Merchants remain liable for chargebacks related to goods and services, for example if the goods are not received.

For more information, check out Protecting your business online with EMV 3DS.

Step 3: Add a Captcha solution

Card testers often use automated scripts that can be blocked using a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This works by observing behaviour on the website and distinguishing between a human and a bot. If it’s unsure, it poses a short challenge for the customer to complete. 

The free Google reCAPTCHA tool is effective for blocking card testing. It gives you the option of both visible and invisible CAPTCHAs, depending on your needs.

Any CAPTCHA solution can be implemented by your web developer.

What to do if you're still affected by card testing

If you’ve added a CAPTCHA to your integration but are still affected by card testing, please check the following:

  • Make sure the CAPTCHA requires validation on all requests that enable card validations or payments.
  • Review the CAPTCHA’s documentation to make sure it has been implemented properly.
  • If you’re using a CAPTCHA that provides a score, adjust the threshold at which you prevent requests from succeeding.
  • Try a different CAPTCHA solution, such as switching from an invisible CAPTCHA to a visible CAPTCHA, or use a different CAPTCHA solution entirely.

If you require further assistance, please contact the NAB Transact Help Desk on 1300 369 852, Opt 3 - Monday to Friday, 8:00am to 8:00pm (AEST/AEDT).

Related articles

Important information