Then they started receiving calls from strangers who had been billed.

"We had people contact us saying, 'Hey, we've had a transaction from you taken out of our card, and we don't know who you are'," general manager John Papiccio said.

"'We've never dealt with you — what are you, and what's the transaction?'"

Almost 17,000 fraudulent transactions were ultimately attempted through the small business's e-commerce site between April and May this year — more transactions than it would see in five years — by cybercriminals testing stolen credit card numbers.

t's what the banking industry calls a BIN attack:

A BIN Attack involves fraudsters taking the first six digits of a card (called the Bank Identification Number or BIN) and using trial and error, or brute-force, methods to guess valid combinations of card numbers, expiration dates and card security codes.

The card is then tested to see if it's active through small purchases on online stores, before fraudsters either sell the card number, or use it to carry out larger fraudulent transactions.

Commonwealth Bank customers Bob Barrow and John Goodall were among those to contact the Melbourne business after noticing it listed on their transactions.

Both had Commonwealth Bank travel cards, and had the same transaction amounts ($23.21) processed through the company's online store.

"I had never used the card at all. Not once," Mr Barrow said.

"I didn't do any withdrawals, I didn't do any transactions. The card had never left my wallet."

But while Mr Barrow had only loaded $50 onto his travel card, Mr Goodall ended up losing more than $7,000 through dozens of transactions at various US retailers.

The two men were ultimately reimbursed by the Commonwealth Bank, but say they've been left with serious reservations about card security.

"It gets the mind ticking over," Mr Goodall said.

"I feel really, really insecure now with any kind of card at all."

Card numbers easier to guess than consumers think, expert says:

Cybersecurity expert Troy Hunt said card numbers were not random or infinite, contrary to what consumers might believe, making them possible for cybercriminals to guess.

"Sixteen digits might sound like a lot, but once you take off the bank identification number, you're left with 10 — and then those 10 have to adhere to a pattern, so you're left with a smaller number of different possibilities," Mr Hunt said.

"You then have machines that can automate at a very, very fast speed.

"Ten numbers really isn't very much for computers to keep guessing."

John Goodall and Bob Barrow are now calling for tighter banking processes, while John Papiccio says his employer was not contacted by the Commonwealth Bank about the attack until June, and should have been warned earlier.

"The bank has a responsibility. They're the gatekeeper," he said. 

But Mr Hunt said the attacks were not solely on banks to detect.

"The banks are the card issuers – they're not the ones usually processing the card and they're not the ones usually accepting the card details before they go to processing," he said.

"So the banks are very much the victims of these crimes as well."

Figures from the Australian Payments Network, a self-regulatory body for payment systems, show payment card transaction fraud in 2022 totalled $577 million, up 16.5% on the previous year.

Mastercard, the world's second-largest payment processor, said its cybersecurity system SafetyNet — aimed at mitigating large-scale fraud, such as BIN attacks — blocked $13.1 billion in fraudulent transactions across Australasia last year.

Attacks are getting more sophisticated

For Mr Papiccio's employer, the company also suffered a financial impact, albeit indirectly.

The small business estimates it lost more than $20,000 in sales since being forced to shut down its e-commerce store to prevent further hacks.

Despite not being involved in the attack, at $0.28 a transaction, it was also required to pay the Commonwealth Bank $4,750 in transaction fees, plus an additional $1,275 in charge back fees.

The company has since been refunded by the bank.

"Fraud detection requires multiple lines of defence," a Commonwealth Bank spokesperson said.

"This includes fraud monitoring through banks and payment processors as well as business owners employing their own precautions, including installing fraud protection tools."

Mr Hunt said BIN attacks could also cause reputational damage to merchants and put them at risk of losing their ability to process cards if there were too many fraudulent transactions on their e-commerce stores.

He said businesses needed to protect themselves using payment processors with robust fraud detection on their online stores, like Stripe and Square.

"The attacks are getting more and more sophisticated because there's so much more value for the attackers in having a large number of cards that they can resell," Mr Hunt said.

"Every time we get a little bit better at making the defences better, the attackers normally either go and find another piece of low-hanging fruit somewhere, or they find a way around those defences."

As for cardholders, Mr Hunt said to keep an eye out for any suspicious, small transactions and report any fraudulant activity as soon as possible. 

"We're always going to have this challenge," he said.

"When we try to make it easy for consumers to enter cards and have products purchased and delivered, it also makes it easy for hackers to do the same thing."

Original Story By | Leanne Wong