What is a BIN attack on a credit card? Understanding this type of credit card fraud

Brian Kelly is a Bilt adviser and investor.

Seeing unauthorized charges on your credit card can be a headache. Removing these charges from your account and getting a replacement card isn't fun, either.

The root cause of why you have unauthorized charges on your credit card can vary, as there are multiple types of credit card fraud.

We've previously seen reports online and received emails from readers with surprise charges on their accounts. In fact, some TPG employees checked their accounts to find surprise charges on their Bilt Mastercard®.

These fraudulent charges are part of what's known as a BIN (bank identification number) attack. But what is that? And is there anything you can do to protect yourself? Let's take a closer look.

The information for the Bilt Mastercard has been collected independently by The Points Guy. The card details on this page have not been reviewed or provided by the card issuer.

Related: How to identify and prevent credit card fraud

What is a BIN attack?

The first six digits of your credit card are the bank identification number. A BIN attack uses brute-force computing to attempt to guess a valid combination of credit card number, expiration date and card verification value, or CVV, number.

While a person can attempt to guess one number at a time, a software program can try thousands of combinations in a matter of seconds. Once it finds a number that works, it can try other (similar) variations and then use those at online merchants — assuming that other cards will have the same initial six digits.

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

Email address

Sign up

By signing up, you will receive newsletters and promotional content and agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.

Many of these purchase attempts are blocked without customers seeing any activity on their accounts. However, a spokesperson for Wells Fargo (which issues the Bilt Mastercard) told TPG that purchase "attempts from trusted merchants" have affected some customers.

A statement from Bilt confirmed those unauthorized transactions stemmed from a BIN attack:

We have been made aware of a global fraud ring that has been launching what are called BIN attacks. In short, they use compromised merchants to randomly test millions of potential card numbers to see which ones work, focusing in on one card range at a time. While many of these card attempts get blocked (often invisibly to the customer), occasionally charges make it through. This has been happening across banks and we are aware that a few of Wells Fargo Bilt cardholders have experienced fraudulent charges as part of that.

Which cards does this affect?

From our research, we found that these recent attacks affected more than just the Bilt Mastercard. Ultimately, a BIN attack doesn't care about the type of card you have, nor does it need to get inside a company's software. It's simply trying to find a combination of numbers that will result in a successful transaction. Once it does, the fraudsters hope the affected cardmember won't notice until the fraudsters can make additional purchases or cash withdrawals.

Thus, it doesn't matter what bank issues your credit card or what type of rewards your card earns. BIN attacks also don't require hacking into the bank website or the loyalty program website to succeed.

This reinforces the importance of checking your credit cards regularly for fraudulent charges. This ensures that problems are detected as quickly as possible and prevents further unauthorized transactions.

It's also important to understand who to contact if you do find unauthorized charges on your credit card: the issuing bank. For example, if you detect fraud on your Marriott credit card, you shouldn't call Marriott's customer service team; you should reach out to either Chase or American Express, depending on which company issued your card.

In that same vein, Bilt also isn't a credit card issuer and can't issue a new credit card for you. You need to contact your issuing bank — either Wells Fargo (for those who applied since applications opened to the general public in March 2022) or Evolve (for previous applicants).

How can I protect myself from BIN attacks?

In short, you can't stop computer programs from trying to guess credit card numbers. What you can do, however, is monitor your accounts and guard your personal information to prevent other types of credit card fraud.

If you're worried about someone having your credit card number, you can lock your credit card to prevent any transactions; however, that's not a permanent solution. Some transactions will still go through, including recurring bill payments and refunds — meaning a fraudster could attempt a refund as a means of testing whether your card works. Plus, locking your card doesn't combat the chief problem: that someone else may have your card number.

Thus, it's important to get a new card with a new number if you have unauthorized charges on your account. Call the number on the back of your credit card or use the bank's website — go to the website by typing the address yourself, rather than clicking on links, to avoid phishing scams. Many banks also use email, app, phone and text alerts to verify suspicious charges, and you should make sure you know what these look like to understand which notifications you receive are legitimate.

It's also important to ensure you protect your credit card information by carefully evaluating which websites you grant access to your information and what links you click on, plus using strong passwords to protect your information.

You also should report any suspicious charges on your account. Reporting these quickly ensures you're not held responsible for the charges — yet another reason why you should monitor your credit cards regularly.

Bottom line

Multiple readers contacted TPG to inform us they were affected by fraudulent attacks and unauthorized charges, asking if we knew what happened. This has affected more than just the Bilt Mastercard, unfortunately, so you should check your accounts regularly to watch for fraud. While you can't prevent computer software from trying to guess your credit card number, you can take steps to minimize damage and prevent other problems.

Related: Why a password manager is a critical part of my points and miles strategy