By Patricia (Trisha) Wells, VP, Authorization Risk Management, Velera

Financial institutions (FIs) are constantly grappling with a complex and evolving cybercrime challenge — brute force attacks on cards. This type of attack is a direct threat to credit unions and their members, and the number of brute force attacks is surging. Over the summer, a file with over nine billion pieces of data was posted to a hacking site, and is an example of the type of information attackers will use to target systems not protected against brute force attacks. As we close out our two-part blog series for Cybersecurity Awareness Month, now is the time to understand warning signs and embrace innovative solutions to defend against the disruptive impacts of brute force attacks.

What Is Brute Force Fraud?

Brute force fraud involves perpetrators using iterative trial and error tests on partial card information to validate credit or debit card data that was obtained illicitly – often through criminal techniques such as phishing or skimming. The goal of fraudsters is to profit off the acquired information before the card issuer becomes aware of the fraudulent activity and closes the compromised account.

The card testing tactics used in brute force fraud are also referred to as "BIN attacks." Perpetrators use a technique where they input the initial six to eight digits of a card, known as the bank identification number (BIN), into a scripting program. This automated program then subsequently generates various combinations for the full card number, security code and expiration date. The various combinations undergo validation through card-not-present transactions. 

The methods used in card testing can differ with each brute force fraud attempt. Trial transactions may be channeled through legitimate and well-known merchants. The trial transactions can also be funneled via fictitious merchants created specifically for fraudulent purposes. The fraudsters’ testing phase can involve a few test merchants and transactions on a large population of cards, or it might incorporate a more diverse range of merchants and transactions on a smaller subset of cards.

Brute force fraud is an industry-wide threat that spares no one, despite fraudsters’ hopes of gaining access to high value card data. Every credit union and member are susceptible to these attacks. Inactive cards can even be ensnared, as sophisticated software employed by fraudsters can identify valid card details regardless of activation status. Brute force fraud assumes unpredictable forms and affects everyone involved in financial transactions, including unsuspecting merchants, cardholders and FIs.

Mitigating Card Fraud Risks

While there is no foolproof defense against brute force card fraud, credit unions can proactively adopt measures to reduce the likelihood of successful attacks. One effective strategy may be implementing card number randomization, which minimizes vulnerability to attacks that target sequentially ordered cards. Moreover, avoiding batch issuance of expiration dates and opting for randomized dates can provide an additional layer of defense.

In addition to preemptive risk reduction, proactively monitoring for brute force fraud attacks and analyzing any suspicious trends are crucial for acting quickly and minimizing damage. These attacks may reveal themselves through distinct patterns, such as a sudden surge in authorization declines, often linked to sequentially ordered cards. Other red flags include a surge in low-dollar transactions within a short timeframe and a rise in errors related to Card Verification Value 2 (CVV2) and expiration dates. Leading-edge technologies, particularly machine learning, can play a pivotal role in analyzing data to detect patterns indicative of brute force card fraud.

Responding During an Attack

When confronting brute force attacks, credit unions have several courses of action. The right response is one that demonstrates a commitment to upholding member service and card security. One strategic response entails establishing global rules for protection after a pattern is identified from a brute force attack. These rules, when uniformly enforced across the network, serve to decline or closely monitor transactions associated with the attack. This proactive approach minimizes losses and prevents similar vulnerabilities in others.

Another course of action is immediate card reissuance. This preemptive measure is aimed at thwarting follow-on fraud, which is a subsequent wave of fraudulent transactions that might stem from the initial attack. Alternatively, FIs can leverage robust monitoring systems to bolster the security of compromised cards. An integral part of this particular response strategy is implementing a tagging system, which provides analysts with a powerful tool to meticulously monitor affected cards, manage losses effectively and establish a comprehensive reference for future actions.

Adapting to a Changing Landscape

While credit unions are already engaged in measures to prevent and recover from fraud, cybercrime threats evolve constantly – and brute force attacks are on the rise. Before an attack happens is the best time to evaluate whether your fraud and risk mitigation portfolio is keeping pace with the expanding fraud landscape. Collaborating with a trusted fintech credit union service organization (CUSO) like Velera can help strengthen a credit union’s fraud management strategies. The right risk mitigation partnerships will customize and enhance fraud fighting efforts, empowering credit unions to effectively combat the escalating challenges of brute force fraud and other threats.

Patricia (Trisha) Wells is the VP of Authorization Risk Management at Velera (formerly PSCU/Co-op Solutions). She provides strategic thought leadership for new and existing partners and is responsible for fraud strategy design, mitigating losses on behalf of financial institutions. Trisha has combined her passion for mitigating fraud risk with primary responsibilities that included card program implementations, product integration and the improvement of operational efficiencies. She has 40 years of financial services experience, 29 of which have been with Velera.