The new eight-digit Bank Identification Number (BIN) in payment cards – Is it a Security Syndrome?

The new eight-digit Bank Identification Number (BIN) in payment cards – Is it a Security Syndrome?

I made a paradigm shift in my previous two posts covering law. But I am back to my more passionate field of Information security to throw light on what is called as the Bank identification number (BIN) which is undergoing a change effective April 2022.

?The change

The change is that, from the existing 6-digit bin the payment brands are moving to the eight-digit bin. To refresh your memories BIN is the first six digits (April 22 onwards first 8 digits) in any card (credit/debit/prepaid) which identifies the issuer of the card like ABC bank, XYZ bank be it anywhere in the world.

Why this change? Not any fancy but the need of the hour, as the number of card BINs available for use is reaching exhaustion due to its explosive use of cards across countries. Analogy is something like IP4 to IP6.So this is purely created due to functionality and operability of the card payment eco system and so the battle is on between functionality and security.

While I may have lost a few battles for the infosec fraternity fighting for security, but the fight is on be it a creation of post of Director, Information Security on the Board like Director Finance or Operations; be it allocation of unlimited budget for security requirements…and so on

While I am not covering the state of preparedness to handle 8-digit bin from a functionality perspective which as per reports is also not geared up nicely enough to avoid issues, let me touch base on some of the security aspects at a high level.

?The backdrop

• The BIN is no secret and is presently available in the net (Now 6 digits but from April 22, 8 digits).
• In the new set up the existing length of the card number is not altered. It remains the same as before 16 or 15 in most cases depending on payment brand.
• The last four digits along with the first six as mentioned in the first bullet is openly available and is permitted by international security standards.
• Lot of things genuine and fraudulent can be done merely with the card number and that is why protection to the same is mandated in International Security Standards and by financial regulatory authorities.
• Gone are the days when we had to fight with operational and functional teams be it a bank or Payment gateway or the likes to establish that a lot of damage can be done if the full card number is exposed unnecessarily.

The Security issues

?1.????Simple mathematics leaves us to guess only 4 digits out of the 16 since 12 digits are available otherwise in the payment eco system and/or internet (See image above). Still worse in a 15-digit card, leaving only 3 digits to be guessed.

?2.????In the earlier regime the unexposed digits were 6 out of 16 which means a great difference in entropy as compared to the new system, making it time consuming and most times futile guessing the middle six digits.

?3.????Are we forgetting common sense security which we have been emphasizing since times immemorial that the greater the length of the password the more secure it is (we also insist on passphrase and complexity) that is the situation when not even one character or special symbol or number is exposed unlike the payment card eco system where from April 22 ,12 digits could be visible?

?4.????From point 2, the guess needs to be made only of digits (0 to 9) at four places with as much permutation and combinations. No alphabets/No Symbols/No upper case/No lower case.

?5.????The earlier system of 6-digit bins and the exposures allowed has stood the test of times till now barring few glitches with International Security Standards governing the payment card eco system. Will it continue with increased exposure of card number allowed under the new eco system of 8-digit bin?

I leave the answer to the Information Security folks!

?Card number Generation Question- Start Right and Protect Right

Well, till now under the old system, the first 6 digits being the BIN was a prefix and so also the last digit which was the check digit leaving 9 free digits for the card number generation application to choose with randomness as much as possible being the objective to be achieved. In the free 9 digits also, many issuers had predefined digits to signify the type of card like red, violet, gold etc, the type of customer like elite and so on reducing randomness. Needless to say, the more the prefix of the digits the lesser is the randomness. Randomness reduces predictability and is the key, since we are eventually trying to protect what is generated which in this case is the Card number. Protection post generation of card number has no meaning if it is easy to predict what number would be generated by the card number generating application.?

The robustness of the card number generating application must be more in the new 8-digit BIN scenario since only 7 free digits (provided no other digit is fixed as pre identifier to identify some types of cards) would be available again reducing entropy when compared with the 6-digit bin regime. So, issuers and card number generators, so also assessors assessing card number generation applications watch out and bring about changes which ensures the same randomness if not more as before in the 6-digit bin regime. Else the next step of rendering protection of card numbers when in use will be futile or will have reduced effectiveness.

?Tech Gallop – Is it a hindrance to the security of card numbers?

?Not as of today. The current encryption mechanisms prescribed and used to protect card numbers will be good enough, but we cannot forever assume that encryption is rock solid and cannot be broken. History is behind us, and we have seen well known encryption algorithms being floored and may happen for the ones currently in use if not now but in the next 3 decades by when it is said that speed of Quantum computers ruling the roost would warrant stronger encryption mechanisms. Remember that we have lived with old encryption algorithms for about 6 decades. Of course, this is irrespective of 6-digit bin or 8-digit bin but with more exposure of digits in 8-digit bin we could face the situation of encryption break in less than 3 decades.

?The way forward for better security

?Do we increase the card length and go back to the 19-digit card number as was the case years ago?

?Do we relook at the existing practices of protecting the card number?

?Do we ponder to introduce symbols and alphabets (upper and lower case) in the generation of card number?

?Leave it as it is just assuming security of card number under both the 6-digit bin and the 8-digit bin regimes?

?Add more salt values to the existing card number and expect functionality folks to take it with a pinch of salt?

?Is speed that important, that to avoid failure of a card transaction here and there, one decides to do away with encryption/protection of card number? (Note: I have fought many a pitched battle fighting for security)?

?Do we look at tokenisation as a major method of protection to card numbers due to the likely weakened strength of truncation and encryption under the 8-digit bin regime?

?Will come back on above, irrespective of brick bats for this post. But before that, let me invite your attention to the fact that if information technology is the way of life today, then information security is “the lifeline” in this world of sensitive information glut.

?

?