Scripting Attacks on E-Commerce Sites Hit Ally Bank Accounts

BIN Attack, Not Data Breach, Likely Culprit Behind Spike in Fraudulent Charges
Scripting Attacks on E-Commerce Sites Hit Ally Bank Accounts

A flurry of fraudulent online transactions made using Ally Bank debit card accounts is the result of script-based cyberattacks rather than a data breach, a source close to the fraud detection tells Information Security Media Group.

See Also: Check Kiting In The Digital Age

Customers and e-commerce website sites across the United States are reporting a sharp increase in fraudulent charges to accounts issued by the online consumer bank. The charges are the result of a BIN attack, the fraud detection executive says. The acronym stands for bank identification number, which are the first four to six digits of payment card numbers. The remaining digits in 16 digit payment card numbers identify individual accounts.

Attackers are running scripts on e-commerce sites in a bid to identify valid accounts by attempting to complete small transactions. The script automatically inputs card numbers based on the Ally Bank BIN. The brute force guessing continues until a transaction goes through.

Validated debit card accounts subsequently may be used for additional fraud or sold to another cyber gang, although the executive says dark web monitoring hasn't revealed an uptick in debit card data for sale. The bank is attempting to prevent fraudulent charges through analytics that examine impacted accounts for anomalous activity, the executive says.

In a prepared statement, an Ally spokesperson says the financial services industry as a whole is experiencing an uptick in debit card fraud activity. Customers have 60 days from a fraudulent transaction to report it and receive back the funds, the spokesperson adds. Customers will not be liable for unauthorized transactions.

One reason to be confident that the spike in fraud is not a data breach is that attackers don't appear to be in possession of data elements associated with payment cards database entries such as account holder name, the executive says.

"There are no indications that this would be a data breach based on the activity that's happening out there," the executive says.

No Online Merchant Is Too Small For Cyber Criminals

Attackers can identify account numbers through brute force attacks by taking advantage of payment processing systems that lack security controls, says Julie Conroy, head of risk insights and advisory at consultancy Aite-Novarica.

Small merchants and charities in particular often don't institute robust controls for card-not-present payments, whether from eagerness to ensure that customers complete their transaction or a belief they're not a target for criminal gangs.

"There are some card-not-present merchants that don't even need a CVC," she says, referring to the three-digit card verification code found on the backside of physical payment cards. Merchants typically outsource payment processing to third parties, but "you can pick and choose which fraud controls you want," she says. "The merchant is still managing their fraud."

The ideal e-commerce victim is a low-volume or seasonal business owner who doesn't logon to the payment processing platform for long stretches at a time, says John Buzzard, lead analyst for fraud and security at Javelin Strategy and Research.

A software script for guessing account numbers is trivial to program but gangs behind the attacks have gained sophistication in bypassing authorization network fraud detection measures. Some gangs have learned to randomize the validation test amounts and are careful to attempt validation through multiple merchants, says Buzzard. Many brute force scripts sidestep checks against rapid-fire authorization attempts by modulating their velocity, Conroy says.

A script with fraud detection countermeasures included can be bought on the dark web for as little as $100, Conroy says, an illustration of how finely calibrated the cyber gangs have become. It would be unusual for a single gang to program the script, conduct the brute force attacks and then exploit the validated payment cards accounts. Instead, each function is conducted by specialists who sell to the next layer in the exploitation chain.

"It just underscores the extent to which these organized crime rings operate as a business," Conroy says.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.