Watch out for BIN Attacks

hawkins · ‎07-03-2023

Title says it all. Some **bleep**(s) in Austrailia of all places somehow managed to get my debit card number and order over $300 in pizza. I am nowhere near Austrailia nor have I ever been there so its incredibly frustrating. My credit union Redstone allowed the charge to go through then called me and asked if it was me after the fact. These hackers somehow guessed my card number and was able to pay somehow without knowing the 3 digit code on the back. Redstone so far is taking it ok but I get the impression they will find a way to not give me my money back and find a way to blame me. just me being mad this happened. They did not have access to my account otherwise it would of been way worse in the amount I would have lost. My credit card with them was also not touched. Moral of the story is be careful watch your accounts like a hawk. I have never even used this debit card to boot. Very annoyed.

Slabenstein · ‎07-03-2023

BIN attacks are becoming way, way more common, unfortunately, and about as far as you can go to protect yourself is lock the cards you aren't using. I've worked on the issuer side of trying to combat a BIN attack, and it's extremely frustrating (on top of it costing the FI maybe tens of thousands of dollars to cover the fraudulent charges). Issuers can't require that merchants ask for CVV or other identifying information such as address or ZIP. That means that, if fraudsters can get a good card number and exp date through brute forcing, they just need to use it at a merchant that only asks for those two things. The pizza place you mentioned is probably such a merchant.

The good news, so to speak, is that BIN attacks are usually a massive fraud attempt on basically all of an FI's cards that share that BIN, so if Redstone is experiencing a BIN attack, then they're well aware of it and I'd expect you should be able to get your money back without too much hassle. They would have had a large number of attempted fraudulent transactions at that pizza place, and the one on your card wouldn't have been the only one to go through before Redstone's anti-fraud algos blocked that merchant.

gingerflower · ‎07-04-2023

@hawkins

Sorry to hear your Debit card was hacked. Heck, I know the feeling of frustration I to had to deal with fraud on my Boa debit card...14 charges from 2 different Companies thank goodness I received txt messages from Boa to alert me of charges. So far Boa took action and my acct is straighten out with new debit card.

AndySoCal · ‎07-05-2023

@hawkinsIf the fraudster selected credit not debit then the three digit code is not needed. I would also suggest you put some controls (alerts) on that card.

FIC Scores XPN v8 805 V2 831 (SDFCU) TUC V 8 800 07/25 EFX Bankcard v8 822 EFX FIC0 v8 807 Vantage score 4.0 817 via JC Penney
JC Penney 10/2008 4,700 US Bank Cash 08/2010 12,000 Citibank Custom Cash 5/2015 14,100, State Dept. FCU 06/2023 25,000 02/2024 Redstone FCU Signature VISA 10,000 08/23/2024 Commonwealth Credit Union 15000 07/25 Walmart One 5000 12/04/25
Banking: Lafayette FCU Fortera FCU State Department FCU Redstone FCU Hughes FCU Commonwealth FCU
My personal blacklist Axos Bank, Bank of America, Synchrony Bank Capital One TD Bank Comerica Bank BMO US Bank Wells Fargo