Scam Alert! Scammers are guessing your card numbers and getting them right! Here’s what you can do to protect yourself.

So it seems like every time we turn around, scammers have found another way to teef our likkle bit a money!

The latest scam that has been picking up steam is called a BIN attack.

Hackers use computer software to accurately guess the combination of your debit or credit card number, the Card Verification Value or CVV, which is the three-digit code on the back of the card, AND the expiry date.

Once they’ve accurately guessed that info, they have control of your card.

It’s called a BIN attack because hackers target the Bank Identification Number, which is the first four to six digits of your card.

All financial institutions have a BIN.  These numbers are usually public knowledge or easy to figure out. They just need to see one card and copy the first four or six digits and then they have a starting point for the hack. After that, they use software like auto-dialers to generate the rest of the card number and then the other information.

Hackers typically target one institution at a time.  After generating a few combinations, they test the combos on different merchant platforms.

The good news is, right now, this type of attack has limited success. Because while they stand a good chance of guessing the card number once they have the BIN, finding the accurate combination of CVV AND expiry date is much harder. 

Most institutions will flag transactions where the wrong CVV and expiry date were entered.

But if there’s one thing we know, it’s that scammers are persistent, so once they’ve generated a legitimate card number, they’ll store it and continue trying to get the right combination.

Now BIN attacks aren’t just annoying for customers.  They’re annoying for businesses as well.

If I see a fraudulent transaction on my account, the first thing I’m going to do is dispute the transaction. So businesses face extra costs because if the dispute is successful, they have to pay customers back out of pocket. 

Not to mention it damages their reputation because why would I shop at or recommend a site where my card was scammed once already?

In some cases, if payment gateways and merchants are used often by scammers to test cards, they can be fined by regulators or risk losing their operating licenses. 

Now you can’t stop scammers from trying to guess numbers, so how can you protect your money?

On the customer end… alerts, alerts and more alerts! 

Set up as many notifications as possible from your institution so that you can be notified immediately when a transaction has occurred. That way you can dispute the charges quickly.

Two, find out if your institution allows restrictions on the number of transaction attempts that can be made within a given period of time. 

Typically, BIN attacks are characterized by multiple low-value attempts in a short period. Limiting the number of checkout attempts for a single user might be a good way to catch a BIN attack before it’s successful.

And of course, monitor your accounts. You should always have an idea of how much is in your bank account. Check your recent transactions and make sure everything looks right. This is where having a budget could come in handy- you’ll know where every dollar was supposed to go.

On the business banking side of things. 

We might not like this one, but having and sticking to tight KYC requirements is one of the ways to prevent BIN attacks. I know, I know, we already need an arm and a leg and our first baby tooth to open an account in Jamaica, but as they say ‘the good suffer fi the bad.’

Ensuring that customers meet KYC requirements, as well as performing enhanced due diligence are some strategies that businesses can use to ensure their customers are legitimate. 

Also having some kind of user authentication on your site would be helpful. These hacking attempts use computer software so having an extra verification step is a good way to block them.  

For example, biometric verification or facial recognition can confirm that the user is the account holder before authorising a purchase.  You can even set up those ‘are you a human, click every square that has a bicycle’ messages.

They might be annoying, but if it can help keep my money in my pocket, then it’s worth it.

And that’s the bottom line.