6 minutes

BIN Attacks: What They Are and How to Protect Yourself

Written by
Don Hamilton
Published on
April 2, 2024


BIN attacks and card testing go together.

You can’t control them. Sometimes, you can’t even detect them.

But you can fight them.

First, you must know what they are and how to spot them.

Then, we’ll take you through all the relevant points of damage and prevention.

Let’s get started.

What’s a BIN?

The 16-digit number on your credit card is used to identify you when making purchases with the card.

But this number, called a Primary Account Number (PAN), has built-in codes. These codes tell banks who issued the card, what industry they represent, and the account number—your account number—to ensure the money comes and goes from the right place.

The code built into the PAN we’re interested in is the BIN.

The Bank Identification Number (BIN) is the first 6-8 digits of your credit card’s PAN. This graphic shows you the BIN and other codes the PAN contains.

BINs are publicly available information. They are published so that people like yourself can learn what bank issued your credit or debit card.

Our BIN Lookup tool allows you to type in the first ten digits of your card’s PAN (that's all the tool needs for security reasons).

Then, click the “Check BIN” button, and you get the information you’re looking for.

How Do BIN Attacks Work?

So, how are these BIN numbers attacked?

With brute force.

Using automated tools like auto-dialers, here’s the way fraudsters try to scam the system.

The fraudster chooses a BIN through public record research.

With the BIN in place, they generate thousands of random numeric combinations to fill out the remaining numbers in the PAN. They hope to find a legitimate PAN this way.

This is what they generate:

  1. The remainder of the PAN.
  2. The expiration date.
  3. The CVV security number on the card.

If they were to do this random-number generation manually, it would take a very long time. But using modern automation tools and bots, they can generate millions of potentially authentic PANS, dates, and CVVs in seconds.

All these random number combinations are stored for future verification through card testing.

What is Card Testing?

Card testing is not new. It first appeared online at the dawn of e-commerce. These days, it’s becoming increasingly sophisticated.

At heart, card testing—or carding—is simply a brute-force, trial-and-error method to see if the randomly generated PANs are viable. If one of their PANs completes a trial purchase, it can be saved and used for further fraudulent activities.

These are the basic steps the fraudsters take:

  1. Acquisition: The fraudster obtains card details through illegal means. This includes BIN attacks.
  2. Verification: Small transactions are made on e-commerce websites or donation platforms (as these typically have lower verification requirements) to test whether the card is active.
  3. Confirmation: If the small transactions go through, the attacker confirms that the card information is legitimate and usable for purchases.
  4. Exploitation: The verified card details are then stored to be used for more significant fraudulent transactions or sold on the dark web to other criminals.

So the BIN attack goes like this.

  1. Pick a BIN.
  2. Generate random PANs, dates, and CVVs.
  3. Card test each complete card detail bundle on a real website, trying to make a purchase. Low transaction amounts are used to help avoid detection.
  4. Store all card details that prove to be active and valid.
  5. Commit further fraud.

What's the impact from BIN Attacks?

In addition to the potential consequences for the cardholder—unauthorised purchases, bank dealings, and possible credit problems—the merchant suffers too during the card testing phase of the BIN attack.

Financial Losses

Fraudulent transactions must be refunded to the cardholder. This happens directly by the merchant or as the result of a dispute which may elevate to a chargeback. Refunds are lost revenues.

Increased Transaction Fees

Transaction fees go up if the payment processor or the bank determines that your business is subject to excessive fraud. If they think you’re too vulnerable, your risk assessment goes up, and with it, the fees and penalties you pay.

Loss of Customer Trust

If your customers no longer feel your business cannot protect their private information, they may think twice before doing business with you again. Nobody trusts an insecure business.

Reputational Damage

If word gets out, the market may view your business unfavourably. This leads to even more lost revenue, lost opportunities, and slower or non-existent growth.

Preventing a BIN attack

Unfortunately, there is no 100% sure way to prevent BIN attacks every time. Fraudsters are increasing their sophistication the same way legitimate merchants are.

Note that it’s not illegal to simply generate PANs, dates, and CVVs. The fraud comes from card testing and fraudulent purchases.

Fortunately, there are dedicated services like ours that can mitigate these threats and make it possible to retain your revenue and reputation.

Visit today to learn more.

Book a demo of our platform to prevent fraud and chargebacks.

You can also contact us at with any questions you may have.

We’re ready to help you find the optimum way to protect your business from fraudsters.

FAQ: BIN Attacks

How do cybercriminals carry out BIN Attacks?

Cybercriminals use automated software tools to generate and validate credit card numbers based on known BINs. They perform small transactions on websites with low security to test these numbers, identifying valid card details for fraudulent use.

Why are BIN Attacks considered dangerous?

BIN Attacks can lead to mass credit card fraud, affecting hundreds or thousands of cardholders under a single BIN. This can result in significant financial loss, compromised personal information, and eroded trust in financial institutions and payment systems.

Can BIN Attacks be detected and prevented?

Yes, both individuals and businesses can employ measures to detect and prevent BIN Attacks. For individuals, monitoring account activity and using security features like transaction alerts can help. Companies can implement advanced fraud detection tools, velocity checks, and secure payment gateways to mitigate these attacks.

What are the signs of a BIN Attack?

Signs of a BIN Attack include multiple small transactions that you don't recognise on your credit card statement, especially if they are from the same issuer or occur in a short timeframe.

What should I do if I suspect my card is compromised in a BIN Attack?

Immediately contact your bank or card issuer to report the suspicious activity. They can help secure your account, reverse fraudulent charges, and issue a new card if necessary.