As banks beef up their security perimeters, criminals are now devising methods to beat banks’ own authentication protocols, quickly and effectively exfiltrating funds.
According to authentication specialists, two particularly concerning modes of attack have emerged: Bank Identity Number (BIN) scan attacks, and Distributed Denial of Service (DDoS) assaults orchestrated to hide targeted attacks.
AI and FaaS boost BIN scanning attacks
BIN scan attacks represent a strategy where fraudsters use the 3-D Secure protocol to steal card information by guessing card numbers to see which ones are active.
The rate of this fraud is growing as other protections make card-stealing more complicated. Mastercard reports that Fraud as a Service (FaaS) has also added to the problem, boosting BIN attacks by 80% since 2020.
“By using made-up card ranges and submitting this against the 3-D Secure network to look for signals of success, fraudsters know that if the system returns ‘card not found’, it’s a miss. However, if the response suggests a valid card, they have a match,” explains Gerhard Oosthuizen, chief technology officer at Entersekt.
“Fraudsters are hitting issuers across different markets, building databases of usable cards that can later be sold or exploited in other attacks,” Oosthuizen says. “Where these BIN scan patterns are detected, issuers usually block and reissue cards, thereby protecting customers, but at the same time they are adding both operational cost and inconvenience.”
Oosthuizen explains that, to address this, the company is diligently scanning for these patterns. If detected, banks can then return false responses to the attackers, giving them incorrect answers, and stopping them from getting useful information.
What’s more, working across multiple banks gives the company a wider perspective, allowing their software to track the attack waves and how they evolve, thereby protecting the wider ecosystem and stopping attacks earlier in the cycle.
DDoS uses banks’ own systems against them
Another favoured method is deploying Distributed Denial of Service (DDoS) attacks to overwhelm the ACS during payment authentication.
Systems like 3-D Secure, which is positioned earlier in the process to protect consumers, is a particular favourite. In fact, the number of DDoS attacks increased by 137% in Q1 2025 compared to the prior year, with financial institutions being prime targets.
“When syndicates know they have active cards, they will flood transaction systems with incredibly high volume traffic that cannot easily be separated from good transactions. When the 3D Secure system fails to handle these massive volumes, and response times drop below acceptable thresholds, the system gets bypassed. With that protection gone, the fraudsters get an easier, unprotected path into the payment network,” Oosthuizen says.
This subtle undermining of the fraud barrier allows criminals to slip through fraudulent payments without detection, turning banks’ own resilience mechanisms into potential liabilities.
Oosthuizen says that, while financial institutions are investing heavily in layered protections to mitigate these disruptions and protect 3-D Secure availability, the rate of attacks will continue to grow, threatening the availability of authentication systems.
Patterns and consortia hold the key
In order to address these attacks, Oosthuizen says banks need to have systems that constantly monitors for any sudden changes in normal levels of activity (such as a rising number of card declines, or an increase in card challenges that are never completed), and can dynamically trigger defences that prevent attacks from being successful. For example, limiting multiple invalid payment requests on the same card from different websites.
As with all evolving threats, the solution is multifaceted but relies heavily on the ability to spot patterns, having access to enough data for a complete picture, and automating responses.