Recent social media posts have highlighted a concerning issue where numerous individuals reported unauthorized withdrawals from their bank accounts. According to these posts, the thefts affected at least 7 to 8 people, all of whom are dual currency or credit card holders. The banks most impacted are Eastern Bank and Brac Bank. Investigations revealed that these unauthorized transactions were made through Facebook Ad Manager, often in small, repeated amounts, with one account noting as many as 315 transactions. Surprisingly, the victims reported that they received no One-Time Password (OTP) notifications on their mobile phones for these transactions. The sudden and mysterious nature of these incidents has drawn the attention of the Bangladesh Cyber Security Intelligence (BCSI), prompting further investigation into how these breaches occurred without triggering standard security protocols like OTP verification.
So what might have happened?
When adding a card for Facebook ad payments, minimal information like the card number, DOB, and CVC/CVV is required. The platform might sometimes ask for a postal code but never for the cardholder’s name. The ease of adding a card without extensive verification leads to vulnerabilities. For example, if the card’s BIN (Bank Identification Number) is compromised, crackers can generate and use other card numbers sequentially linked to the original BIN. Additionally, transactions through verified international gateways might not prompt an OTP from the bank, assuming it’s a legitimate request, hence bypassing usual security checks. This process, facilitated by tools and unique IP usage by platforms like Facebook, can lead to unauthorized use of your card without detection.
What is a BIN Attack?
In a BIN attack, a cybercriminal employs bruteforce techniques to attempt to discover a valid sequence of a credit card number, expiration date, and card verification value (CVV). Using a botnet, they can rapidly test hundreds or thousands of combinations. Upon finding a valid sequence, they might explore additional variations, working under the assumption that other cards share the same BIN.
How can we prevent Bin attacks and enhance security?
BIN attacks, where fraudsters exploit the Bank Identification Number to generate valid card numbers, can be mitigated through several measures by both banks and cardholders:
For Banks:
- Enhanced Verification: Implement additional verification for card transactions, such as two factor authentication and requiring CVV for all transactions.
- Limit Number of Attempts: Set a limit on the number of times a card number can fail verification before it is blocked or flagged for review.
- Advanced Fraud Detection Systems: Use machine learning and AI technologies to detect unusual patterns indicative of BIN attacks.
- Secure BIN Sharing: Ensure that BIN data shared with merchants is minimized and securely managed to prevent unauthorized access.
- Monitor Transaction Patterns: Continuously monitor transaction patterns for anomalies that could indicate a BIN attack, such as a high number of declined transactions.
- Educate Merchants: Provide training and resources to merchants on identifying and responding to potential BIN attacks.
For Card Users:
- Monitor Account Activity: Regularly check transaction history for any unauthorized or suspicious activities and report them immediately.
- Use Card Security Features: Activate and use card security features provided by the bank, such as temporary card numbers for online purchases.
- Enable Alerts: Set up transaction alerts via SMS or email to be notified of any charges made using the card.
- Be Cautious Online: Avoid entering card details on unsecured or unfamiliar websites. Look for websites with “HTTPS” in the URL as a basic indicator of security.
- Report Lost/Stolen Cards Immediately: Quickly report any lost or stolen cards to the bank to prevent unauthorized use.
By implementing these strategies, both banks and cardholders can reduce the risk and impact of BIN attacks.
