BIN Attack

A Bank Identification Number (BIN) is the first six to eight digits of a payment card number, which identify the issuing bank and card type. In a BIN attack (also called BIN enumeration), fraudsters exploit the fact that, within a given BIN, the remaining digits are finite and often follow predictable patterns. Automated scripts generate thousands of plausible card numbers under a single BIN and test them against merchant payment endpoints to identify valid, active cards.

The attack can be devastating for small merchants: even low-value test transactions (sometimes as little as £0.01 or $0.01) generate authorisation requests that the issuer must process, and a high volume of such requests can trigger card-scheme penalties. Merchants with weak CAPTCHA or no rate-limiting on their checkout pages are most vulnerable.

Once valid card numbers are identified, they are either used for fraud directly or sold as 'checked' cards at a premium. Defences include CAPTCHA on payment pages, transaction velocity limits, device fingerprinting, and issuer-side anomaly detection that flags unusual bursts of declined transactions on a single BIN.