Script attacks on e-commerce sites hit Ally bank accounts

BIN attack, not data breach, likely culprit behind rise in fraudulent charges

David Perra (@daveperera) •
August 25, 2022

A wave of fraudulent online transactions using Ally Bank debit card accounts is the result of script-based cyberattacks rather than a data breach, a source close to fraud detection has told Information Security Media Group.

See also: Spying on Data Sharing: A Discussion of Fraud

Customers and e-commerce websites across the United States are reporting a surge in fraudulent charges to accounts issued by online consumer banking. The charges are the result of a BIN attack, the fraud detection manager said. The acronym stands for Bank Identification Number, which are the first four to six digits of payment card numbers. The remaining digits in 16-digit payment card numbers identify individual accounts.

Attackers run scripts on e-commerce sites in an attempt to identify valid accounts by attempting to make small transactions. The script automatically enters card numbers based on the Ally Bank BIN. Brute force estimation continues until a transaction is made.

Validated debit card accounts can then be used for further fraud or sold to another cyber gang, although the executive says dark web monitoring has not revealed an increase in debit card data for sale . The bank is trying to prevent fraudulent charges through scans that examine affected accounts for abnormal activity, the executive said.

In a prepared statement, an Ally spokesperson said the financial services industry as a whole is experiencing an increase in debit card fraud activity. Customers have 60 days from a fraudulent transaction to report it and recover the funds, the spokesperson adds. Customers will not be responsible for unauthorized transactions.

One of the reasons for being convinced that the fraud spike is not a data breach is that the attackers do not appear to be in possession of any data elements associated with payment card database entries such only the name of the account holder, the executive said.

“There is no indication that this would be a data breach based on the activity taking place there,” the executive said.

No online merchant is too small for cybercriminals

Attackers can identify account numbers through brute force attacks by taking advantage of payment processing systems that lack security controls, says Julie Conroy, head of risk analysis and consulting at the consultancy. Aite Novarica.

Small merchants and charities in particular often fail to institute strong controls for cardless payments, either out of concern to ensure customers complete their transaction or out of a belief that they are not the target. of criminal gangs.

“Some merchants who don’t present a card don’t even need a CVC,” she says, referring to the three-digit card verification code found on the back of physical payment cards. Merchants typically outsource payment processing to third parties, but “you can choose whatever fraud checks you want,” she says. “The merchant is still managing his fraud.”

The ideal e-commerce victim is a low-volume or seasonal business owner who doesn’t log into the payment processing platform for long periods of time at a time, says John Buzzard, principal analyst for fraud and security at Javelin Strategy and Research.

A software script to guess account numbers is simple to program, but the gangs behind the attacks have grown in sophistication by bypassing the authorization network’s fraud detection measures. Some gangs have learned to randomize validation test amounts and make sure to attempt validation through multiple merchants, Buzzard says. Many brute-force scripts avoid checks against rapid-fire clearance attempts by modulating their speed, Conroy says.

A script with fraud detection countermeasures included can be purchased on the dark web for as little as $100, says Conroy, an illustration of the finesse of cybergang calibration. It would be unusual for a single gang to program the script, carry out the brute force attacks, and then exploit the validated payment card accounts. Instead, each function is carried out by specialists who sell to the next layer of the operating chain.

“It just underscores how much of a business these organized crime networks operate,” Conroy said.