October was Cybersecurity Awareness Month, so let’s wrap it up by talking about your debit cards, fraud, and how to increase security around your cards. I recently worked with a credit union that had just had a handful of their members’ debit cards compromised. Let me tell you—cleaning up the mess after an attack was not only stressful, but it was also time-consuming and pricey (tens of thousands of dollars pricey).
There are some types of debit card fraud you just can’t account for, like purchases directly related to the physical theft of a member’s card. However, there are other ways you can tighten up your card security to reduce the chances of an electronic fraud situation occurring. Taking preventative measures beforehand is much simpler and cost-efficient than dealing with the aftermath of an attack.
Watch out for brute-force BIN attacks
Let’s talk about one of the most common ways your members’ card information can be stolen: brute-force BIN attacks. What are they? These types of attacks use trial and error to essentially guess your members’ card information based on the assumed predictability of numbers following the BIN. An attacker could get a hold of a single member’s card information following a physical theft, a purchase from a spammy website, or even something like a merchant data breach (and we all remember the big one that happened in 2013 with the big box “bullseye” store that got us all free credit monitoring for a few years).
Once they have access to the member’s card information, they will try to guess additional card numbers and expiration dates that follow the same number and expiration date pattern as that of the member’s card. They simply keep guessing and guessing until they reach a valid card number and expiration date and then use that information to make fraudulent purchases at your member’s expense. (Want to know more about brute force BIN attacks? Jim Vilker and Heather French have you covered.)
How can you prevent these?
So, what can you do to stop these types of attacks? You can make it harder for hackers to guess the next card number and expiration date by enabling card number randomization and expiration date randomization when generating a new card number for a member. Randomization makes it harder for attackers to guess what’s coming next, because there is no pattern or predictability involved—for the same reason why we are all here reading this article about debit card security and not out sipping Mai Tais on a beach in Bali with our Power Ball winnings. Randomization reduces the chances of guessing and landing on a valid card number and/or expiration date, so it just makes life harder for the bad guys and safer for your members.
Remember that credit union I mentioned at the beginning of this article that recently went through a breach situation with their members? Let me tell you a little bit more about what they went through to fix the problem that could have been prevented had randomization been enabled in the first place. They were looking at upwards of $20,000 in project costs for a new debit card BIN and for their core to programmatically reissue cards under that new BIN.
Instead, they had their debit card vendor produce reports for analysis to first identify the compromised cards. Once identified, they closed them out and reissued them one at a time out of an extension of their current BIN (and, yes, they did reissue them with random card numbers and expiration dates to prevent this from happening in the future). This solution took them days of manual work, and it took personnel resources away from their members; all the while, members with compromised cards were without usable debit cards.
Don’t wait to take action
So, what is your credit union’s best option to enact preventative measures to strengthen your debit card security? I would seriously recommend having a talk with your core provider or your debit card vendor (whichever generates your debit card numbers) today to see if they offer randomization and what the process and costs are to enable it for both your card numbers and expiration dates. In my experience, devoting the resources upfront to prevent fraudulent attacks is much more beneficial than dealing with the fallout from an attack, and with the holidays quickly approaching, there is no better time to get a handle on your card security to protect your members.