Enumeration attacks, especially banking identification number (BIN) generation attacks, enable threat actors to produce and validate payment card numbers. These attacks, while not new, are high-effort and offer low rewards. However, they can still pose a threat to the payments ecosystem.
Understanding Enumeration Attacks
Enumeration attacks involve “guessing” the correct combinations of values, with the attacker knowing at least one correct value. For example, using BIN generation, a subset of enumeration attacks, attackers can use algorithms like the Luhn Algorithm to generate a valid payment card number.
Research from Newcastle University has highlighted that cybercriminals can use enumeration attacks to identify unknown payment card data elements. They can start with one piece of data, such as the payment card’s primary account number (PAN), and make multiple attempts on e-commerce sites with minimal verification requirements to guess other values. This method can potentially reveal a card’s expiration date, CVV2, and address details within seconds.