5W1H

Tales from Ep.1: Banks, BINS, and “Bad” Guys

A BIN or Bank Identifying Number can be found on each payment card. This BIN number and most information associated with it, is also public information on the Internet, meaning you can do a BIN search online to see the issuing bank, country of origin, whether it’s a VISA or Mastercard, and so on.

Who is this information important to?

Banks have vested interest to pick up on whether any of the cards they issued, have been compromised aka leaked out into the wild, or the Internet.

A cybersecurity expert explained, “So how you detect cards in the wild is to look at its string of 16 digits to see if it matches a (valid) BIN.”

He also further explained, if a bad guy was going to buy credit card information, they want to know which bank issued that card. An assessment could help said individual identify if a bank is proactive in mitigating fraud. “Bad guys would then target the low hanging fruits aka banks that aren’t so advanced with their fraud management.”

 March’s Big Card Data Dump

At around the time the MCO was announced in Malaysia, a big data dump was reported by India-based Techisanct, a cybersecurity startup. In summary, hundreds of thousands of credit card details from at least six Southeast Asian countries had been leaked online.

This is huge and many in the local cybersecurity community paid attention to this event because it happened in the Asia region. Incidents of this magnitude usually happen in other regions.

When speaking to one bank owner, one cybersecurity insider said  this bank owner stated, “We are not concerned about the breach because I don’t think the data is valid.”

The explanation for this is as follows: If you look at stolen card data, especially card data that can be found on the dark web, a lot of times they are never fresh releases. Fresh releases mean, these are card information that have never ever been leaked out.

The industry has observed a number of times where card information on the dark web, has been recycled, or leaked and/or sold before.

And you will never know they are until these cards get into someone’s hand aka someone buys them to check the BINs one by one to see if their information ‘work.’ This reporter understands there are many ways to use the information to dupe poor souls or organisations into parting with their money.

People buying card information on the dark web, is not without consequence. If the bad guys ever get a whiff of demand for a certain bank’s card information, that’s an invitation to target that bank.

So, some banks operate via third parties to validate whether the card information found on the dark web, are “fresh releases.”

 Article notes 

This article is based upon a podcast chat which is rumoured to have happened pre-MCO. To this day, that podcast episode has not been found. Maybe the Gods of Podcast ate it up. An anonymous source came forward with details of the conversation because he thought all the stuff discussed was too good to give up. This article was first published at: https://securitylah.asia/