As banks beef up their security perimeters, criminals are now devising methods to beat banks’ own authentication protocols, quickly and effectively exfiltrating funds.

Two particularly concerning modes of attack have emerged: bank identity number (BIN) scan attacks and distributed denial of service (DDoS) assaults orchestrated to hide targeted attacks.

BIN scan attacks represent a strategy where fraudsters use the 3D Secure protocol to steal card information by guessing card numbers to see which ones are active.

The rate of this fraud is growing as other protections make card-stealing more complicated. Mastercard reports that fraud as a service (FaaS) has also added to the problem, boosting BIN attacks by 80% since 2020.

By using made-up card ranges and submitting this against the 3D Secure network to look for signals of success, fraudsters know that if the system returns “card not found”, it’s a miss. However, if the response suggests a valid card, they have a match.

Fraudsters are hitting issuers across different markets, building databases of usable cards that can later be sold or exploited in other attacks. Where these BIN scan patterns are detected, issuers usually block and reissue cards, thereby protecting customers, but at the same time they are adding both operational cost and inconvenience.

To address this requires diligently scanning for these patterns. If detected, banks can then return false responses to the attackers, giving them incorrect answers and stopping them from getting useful information. What’s more, consortiums that work across multiple banks can offer a wider perspective, allowing software to track the attack waves and how they evolve, thereby protecting the wider ecosystem and stopping attacks earlier in the cycle.

DDoS attacks

Another favoured method is deploying DDoS attacks to overwhelm the access control service during payment authentication. Systems like 3D Secure, which is positioned earlier in the process to protect consumers, is a particular favourite. In fact, the number of DDoS attacks increased by 137% in the first quarter of 2025 compared to the prior year, with financial institutions being prime targets.

When syndicates know they have active cards, they will flood transaction systems with incredibly high volumes of traffic that cannot easily be separated from good transactions. When the 3D Secure system fails to handle these massive volumes, and response times drop below acceptable thresholds, the system gets bypassed. With that protection gone, the fraudsters get an easier, unprotected path into the payment network.

Read: Africa bears the brunt of global ransomware attacks

This subtle undermining of the fraud barrier allows criminals to slip through fraudulent payments without detection, turning banks’ own resilience mechanisms into potential liabilities.

While financial institutions are investing heavily in layered protections to mitigate against these disruptions and protect 3D Secure availability, the rate of attacks will continue to grow, threatening the availability of authentication systems.

The author, Entersekt's Gerhard Oosthuizen — The author, Entersekt’s Gerhard Oosthuizen

To address these attacks, banks need to have systems that constantly monitor for any sudden changes in normal levels of activity (such as a rising number of card declines or an increase in card challenges that are never completed) and can dynamically trigger defences that prevent attacks from being successful. For example, limiting multiple invalid payment requests on the same card from different websites.

As with all evolving threats, the solution is multifaceted but relies heavily on the ability to spot patterns, having access to enough data for a complete picture and automating responses.

By aggregating data and sharing insights across a consortium, it becomes possible to identify suspicious patterns that might be invisible to a single institution. When a new fraud pattern, such as a particular BIN scan technique is detected, rules and protections can be adapted not just for the affected bank, but across the entire consortium. This rapid-response capability is amplified by SaaS delivery models, which allow for swift updating and fine-tuning of fraud detection logic as new threats emerge.

Consortiums that have global reach and local understanding can help tailor defences to the nuances of each market so they are both effective and contextually relevant. This will become all the more important as new standards such as passkeys and digital identity are rolled out.

Ongoing collaboration between banks and their authentication partners is paramount. Rules must be continuously reviewed, updated and validated against the shifting tactics of cybercriminals. These two particular attack modes prove collaborative vigilance is what will keep banks agile and protected, allowing them to anticipate, not just react to, the next wave of fraud.