Enumeration attacks are a top threat to the payments ecosystem.
Enumeration attacks are a type of cyberattack used to discover data in a system or application. For example, a malicious actor may use an API to submit numerous “guesses” against user login information, eventually guessing correctly and storing that information.
These types of attacks are also one of the top threats to the payments ecosystem, harming payment card issuers, merchants, and consumers. According to Visa, enumeration attacks inflict operational expenses and $1.1B annually in fraud losses, accounting for a significant portion of global fraud.
Here is an overview of how payment enumeration attacks work, why they are harmful to merchants, and the signs that merchants can watch for indicating they may be the victim of an enumeration attack.
What is a payment enumeration attack?
A payment enumeration attack, a type of brute force attack, occurs when a criminal uses software or bots to validate payment card information by submitting a series of transaction attempts. By iterating through combinations of credentials (e.g., primary account number, expiration date, zip code, etc.) the criminal seeks to derive legitimate payment account details. When a transaction goes through, it indicates the combination of credentials is valid. Criminals then sell this information or use it themselves to initiate fraudulent transactions.
A BIN attack is a type of enumeration attack that focuses on a specific payment card issuer. The criminal takes the first six to eight digits of a card number – the Bank Identification Number, or BIN − and uses software to generate the remaining card numbers and other credentials (e.g., expiration dates, CVVs, etc.) for testing.
What types of businesses are targeted?
Merchants across a variety of industries have been victims of enumeration attacks. Businesses that process a high volume of card-not-present transactions are most susceptible to these attacks. Smaller businesses with less robust fraud protections are also targeted.
How do enumeration attacks harm merchants?
Enumeration attacks harm merchants in a number of ways including:
- Increased processing fees: Every attempted transaction incurs fees. When hundreds or thousands of card numbers are tested, fees can add up quickly.
- Increased chargebacks: Consumers whose cards were charged as a result of the attack will likely file chargeback claims, which incur fees for the merchant.
- Operational expenses: Additional expense may be incurred to manage the repercussions of the attack.
- Risk exposure: There may be exposure to compliance risk, regulatory risk, and reputational risk.
How can a merchant determine if it is the victim of an enumeration attack?
The following patterns can indicate an enumeration attack is underway:
- Abnormally high number of low-value transactions
- Frequent card declines in a brief period
- Spikes in transactions that are otherwise not explainable
- Odd transaction times (e.g., your customers normally conduct business during the day but suddenly numerous transactions are placed at 3 AM)
Can enumeration attacks be prevented?
Yes, there are steps a merchant can take to guard against and thwart enumeration attacks. The precise methods you should employ to protect your business will vary based on numerous factors, but can include: altering transaction error messaging, transaction throttling, and advanced fraud detection systems.
In the coming weeks, we will be publishing a separate article going into more detail on these preventative measures.
In the meantime, if you are concerned about enumeration attacks and would like to discuss further, please contact Verisave and we will be happy to help.
If your business is looking to better manage your merchant account or reduce fees, we’re here to help. We fix and monitor your existing merchant account, and we bring that money back to you. No need to change processors or add a project to your team’s already hectic workload. Schedule a consultation today.
Verisave is a third-party cost-reduction firm specializing in merchant accounts and credit card processing fees.
Verisave is not a payment processor, and is not affiliated with any processors, card brands, or banks.
Verisave has more than 20 years of experience optimizing and monitoring the credit card processing industry.