Protecting your business from BIN attacks

What is a BIN attack?

A BIN (Bank Identification Number) attack is when a fraudster attempts to determine if stolen card information can be used to make purchases. BIN attacks are common across online commerce. At NAB, we’re constantly improving our tools and systems to detect and reduce fraud, but it’s important our customers also remain alert about fraud.

A BIN attack occurs through automated scripts or ‘bots’ that fraudsters use to look for vulnerable websites to test. You can prevent these attacks using effective solutions such as risk management tools, CAPTCHA and implementing 3D-Secure.

Watch this video to learn more about the harmful effects of BIN attacks and what can be done about them.  View what are online BIN attacks video transcript (DOC, 15KB)

Negative effects of BIN attacks include

A BIN attack may mean the following for your business:

increased disputes or chargebacks
higher decline rates
additional fees
reputational impacts
regulatory fines.

Ways to spot a BIN attack

There are a number of ways to identify a BIN attack, including:

A considerable number of low value or similar value transactions attempted in a short period of time.
Multiple transaction declines.
A large volume of international card transactions.
Attempts made using similar card numbers where only the final 4 to 6 digits vary.
Unusual timing of the transactions for your business (usually in the early hours of the morning).

What to do if you've had a BIN attack

If your NAB Transact facility is being targeted by fraudsters, you should contact the NAB Fraud Team on 1300 622 372 (then select Option 3). The team is available 8:30am to 5:00pm (AEST), 7 days a week. Be sure to contact the team as soon as possible if you think fraudulent activity has occurred.

Three steps to help prevent BIN attacks

Card testers employ a wide variety of techniques to make their fraudulent activity difficult to block. As a result, simple firewall rules or filters can’t always prevent card testing on their own. We recommend you employ a mix of rules and regularly review these settings to ensure your customers are not impacted.

We suggest you use the following fraud prevention steps to help protect your business.

	Cost	Integration	Available to
Step 1: Risk Management	Cost Free	Integration Low	Available to NAB merchants
Step 2: EMV 3DS	Cost $5.50 monthly fee and $0.05 per authorisation	Integration Low	Available to NAB merchants
Step 3: Captcha	Cost Free	Integration Low	Available to All merchants

Step 1: Risk management tools

Risk management tools in NAB Transact offer ways to exclude fraudulent transactions using a set of customisable rules that you can tailor to protect your business and your customers.

NAB Transact offers a free fraud management service that is readily available to NAB Transact merchants. The tool offers velocity rules and whitelist/blacklist rules that are easily customisable. This service is available for NAB Transact customers using Hosted Payments Page, Direct Post and XML/API configurations.

How do I enable risk management?

Log into NAB Transact.
Under the Product Administration column, tap Risk Management Settings on the home page of your NAB Transact Portal.
On the new page, select Change Settings and tick enable where required.
Make sure to tap Save once you’re done.

The settings that you choose here can be set to suit your business needs. The most effective settings to combat BIN attacks are:

It’s important to review these settings regularly to make sure that they’re still preventing BIN attacks.

If you need assistance with setting up Risk Management tools, contact the NAB Transact Team on 1300 369 852, Option 3.

What does my web developer need to do?

For merchants that use a Direct Post or XML/API, your webmaster will need to configure settings within your site to handle these risk management rules. Your developer will need to consult the integration guide for your website. If your integration is a Hosted Payments Page, you won’t need to make any changes.

Log into NAB Transact.
Select the Product Administration column.
Tap Risk Management Settings on the home page of your NAB transact portal.
Download the integration guide relevant for your website.

Integration guides for your developer

	Document Title	Section	Page
Direct Post Integration	Document Title Integration Guide - Direct Post V2 for Payments	Section 2.6.5	Page 15
XML/API Integration	Document Title Integration Guide - XML API for Payments	Section 2.6.2	Page 16

Step 2: Enable EMV 3DS

If you use the NAB Transact payment gateway, you’ll have the added comfort of knowing that NAB Transact supports EMV 3DS. You can consult your web developer or e-commerce software provider to have your integration with NAB Transact upgraded to use EMV 3DS authentication.

EMV 3DS will make the issuer responsible for the chargeback liability on fraudulent transactions. Merchants remain liable for chargebacks related to goods and services, for example if the goods are not received.

For more information, check out Protecting your business online with EMV 3DS.

Step 3: Add a Captcha solution

Card testers often use automated scripts that can be blocked using a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This works by observing behaviour on the website and distinguishing between a human and a bot. If it’s unsure, it poses a short challenge for the customer to complete.

The free Google reCAPTCHA tool is effective for blocking card testing. It gives you the option of both visible and invisible CAPTCHAs, depending on your needs.

Any CAPTCHA solution can be implemented by your web developer.

What to do if you're still affected by card testing

If you’ve added a CAPTCHA to your integration but are still affected by card testing, please check the following:

Make sure the CAPTCHA requires validation on all requests that enable card validations or payments.
Review the CAPTCHA’s documentation to make sure it has been implemented properly.
If you’re using a CAPTCHA that provides a score, adjust the threshold at which you prevent requests from succeeding.
Try a different CAPTCHA solution, such as switching from an invisible CAPTCHA to a visible CAPTCHA, or use a different CAPTCHA solution entirely.

If you require further assistance, please contact the NAB Transact Help Desk on 1300 369 852, Opt 3 - Monday to Friday, 8:00am to 8:00pm (AEST/AEDT).

Protect your business from card fraud and payment scams

Learn about card and payment fraud and simple steps you can take to protect your business.

Building employee awareness of cyber safety

Empower your employees to help manage your online security risks

How to protect your website from being compromised

Learn how to protect your website against online attacks.

Important information

This section contains Important Information relevant to the page you are viewing, but you can't see it because you have JavaScript disabled on your browser. Please enable JavaScript and come back so you can see the complete page. It's important that you read the Important Information in this section before acting on any information on this page.

$0 account fee

Offer $300 cashback

View calculators

Refinancing your home loan?

$0 international transfer fee

New NAB Bookkeeper

You might be interested in

Unsecured business finance

Related tools and calculators

Offer Get 150,000 bonus Qantas Points

Offer 6 months free NAB EFTPOS machine rental

Related tools and help

NAB Connect

$0 international transfer fees

New NAB Bookkeeper

You might be interested in

The Morning Call Podcast

The Morning Call Podcast

Improve your cyber security

More about sustainability

Need more help?

Troubleshooting guides