Criminals turning bank security systems against themselves
As banks beef up their security perimeters, criminals are now devising methods to beat banks’ own authentication protocols, quickly and effectively exfiltrating funds. Two particularly concerning modes of attack have emerged: Bank Identity Number (BIN) scan attacks, and Distributed Denial of Service (DDoS) assaults orchestrated to hide targeted attacks.
AI and FaaS boost BIN scanning attacks
BIN scan attacks represent a strategy where fraudsters use the 3-D Secure protocol to steal card information by guessing card numbers to see which ones are active.
The rate of this fraud is growing as other protections make card-stealing more complicated. Mastercard reports that Fraud as a Service (FaaS) has also added to the problem, boosting BIN attacks by 80% since 2020.
“By using made-up card ranges and submitting this against the 3-D Secure network to look for signals of success, fraudsters know that if the system returns ‘card not found’, it’s a miss. However, if the response suggests a valid card, they have a match,” explains Gerhard Oosthuizen, Chief Technology Officer at authentication specialist, Entersekt.
“Fraudsters are hitting issuers across different markets, building databases of usable cards that can later be sold or exploited in other attacks,” Oosthuizen says. “Where these BIN scan patterns are detected, issuers usually block and reissue cards, thereby protecting customers, but at the same time they are adding both operational cost and inconvenience.”
Oosthuizen explains that to address this, the company is diligently scanning for these patterns. If detected, banks can then return false responses to the attackers, giving them incorrect answers, and stopping them from getting useful information. What’s more, working across multiple banks gives the company a wider perspective, allowing their software to track the attack waves and how they evolve, thereby protecting the wider ecosystem and stopping attacks earlier in the cycle.
DDoS uses banks’ own systems against them
Another favoured method is deploying Distributed Denial of Service (DDoS) attacks to overwhelm the ACS during payment authentication. Systems like 3-D Secure, which is positioned earlier in the process to protect consumers, is a particular favourite. In fact, the number of DDoS attacks increased by 137% in Q1 2025 compared to the prior year, with financial institutions being prime targets.
“When syndicates know they have active cards, they will flood transaction systems with incredibly high volume traffic that cannot easily be separated from good transactions. When the 3D Secure system fails to handle these massive volumes, and response times drop below acceptable thresholds, the system gets bypassed. With that protection gone, the fraudsters get an easier, unprotected path into the payment network,” Oosthuizen says.
This subtle undermining of the fraud barrier allows criminals to slip through fraudulent payments without detection, turning banks’ own resilience mechanisms into potential liabilities.
Oosthuizen says that while financial institutions are investing heavily in layered protections to mitigate these disruptions and protect 3-D Secure availability, the rate of attacks will continue to grow, threatening the availability of authentication systems.
Patterns and consortia hold the key
In order to address these attacks, Oosthuizen says banks need to have systems that constantly monitors for any sudden changes in normal levels of activity (such as a rising number of card declines, or an increase in card challenges that are never completed), and can dynamically trigger defences that prevent attacks from being successful. For example, limiting multiple invalid payment requests on the same card from different websites.
As with all evolving threats, the solution is multifaceted but relies heavily on the ability to spot patterns, having access to enough data for a complete picture, and automating responses.
“By aggregating data and sharing insights across a consortium, it becomes possible to identify suspicious patterns that might be invisible to a single institution. When a new fraud pattern, such as a particular BIN scan technique is detected, rules and protections can be adapted not just for the affected bank, but across the entire consortium. This rapid-response capability is amplified by SaaS delivery models, which allow for swift updating and fine-tuning of fraud detection logic as new threats emerge,” Oosthuizen says.
Oosthuizen also says having global reach and local understanding can help tailor defenses to the nuances of each market so they are both effective and contextually relevant. This will become all the more important as new standards such as Passkeys and Digital Identity are rolled out.
“Ongoing collaboration between banks and their authentication partners is paramount. Rules must be continuously reviewed, updated, and validated against the shifting tactics of cybercriminals. These two particular attack modes prove collaborative vigilance is what will keep banks agile and protected, allowing them to anticipate, not just react to, the next wave of fraud,” Oosthuizen says.
