On Presidents Day 2020 and the weeks following, several of our clients experienced brute force attacks on their ATM and debit card BINs. The losses suffered in some cases were in the six digits, which prompted the SettleMINT and AuditLink teams of CU*Answers to dig in, understand how they happened, and what steps credit unions should consider to mitigate these losses.
What is a brute force attack?
A brute-force attack is when a fraudster uses an auto-dialer to try to get the card numbers issued within the credit union’s BINs. You will see attempted authorizations on card numbers not yet issued. These attempts will typically be on one merchant as they test cards to try to get authorizations. With a card number, fraudsters can perform unlimited guesses to find the card expiration date and other security layers to make the card usable. This impacts all card types including credit, debit, EMV or non-EMV, consumer or business accounts.
These attacks are well orchestrated by criminal rings. They not only include the compromise of the card account but also teams of people in the field waiting with activated cards to purchase goods via internet channels as well as physical stores.
How is this discovered?
Ideally it would be uncovered by the switch, but unless the credit unions are monitoring for this specifically, it typically goes undiscovered until a member calls stating they have fraudulent transactions on their card.
In our research, we learned there could be signs of bad actors testing your BINs with card numbers prior to or as the attack is occurring. In some cases, the switch has fraud logic to detect this and requires a savvy employee to be reviewing the data who understands what to look for.
Recommendations for mitigating risk at your switch provider level
The following are recommendations that you should consider to lower the likelihood of almost any type for plastic fraud, including account take over due to phishing attacks, brute force BIN attacks, and criminals purchasing active cards on the dark web.
Do you have limitations on foreign countries and does your vendor offer travel letters for individual members who contact you regarding traveling to these countries? In one attack, almost all transactions originated out of Brazil and came through an unknown network.
Wondering what countries to block? That would be a great question for the fraud management departments at your vendor. FinCEN issued a March 26, 2020 advisory on this topic as well: https://www.fincen.gov/resources/advisoriesbulletinsfact-sheets/advisories.
What strategies or schemas already exist at the switch to uncover these?
Ask your vendor if they have strategies built in to uncover these types of attacks. This would include queries of the declined data that would lead one to believe your BIN is being tested or multiple transactions coming through the same merchant at high velocity.
These strategies use multiple variables including the fraud score, velocity, merchant type, geography, and many others. Push very hard on this question as our experience has been they do not like to willingly give this information up. Also, ask what training they can provide for you to query the data to uncover fraudulent activity. This should be a skill set understood by credit union staff. Keep in mind, strategies like these do help stop these attacks, but you need to understand what your switch provides for free and what you need to pay for.
Review your configurations every year including:
- Limits (where they exist and when they kick in);
- Any new fraud related tools that they have implemented or ones you can purchase;
- Alerts that would immediately tell you an attack is under way or fraud is evident;
- And any recommendations to lock the process down to mitigate risk.