It’s not (always) just robots.

What to do when your bad guys are actual people?

Stoneage is the new ultra-modern

Since the dawn of time (or so it feels), most website intrusion attempts have been automated. A bad guy buys a list of user names and passwords of the dark web and then uses a robot to try to shove them into every login form that exists on the internet. However, the advent of things like 2FA, captcha, and other increasingly sophisticated anti-robot tools means that the effectiveness of these strategies is reduced, particularly against people who are putting any effort into security at all (i.e. people who might have something you want to steal).

This leads to a new wave of bad behaviour – the so-called “manual breach attempt”.

Manual breach attempts occur where an actual real life human being putting conscious, intelligent effort into ruining your day. They take many guises, and due to the resources involved, typically target bigger fish with more valuable data.

It also means that it can be much more difficult to automate the protection against these activities – there’s a specific, targeted effort to do something and the goals aren’t always obvious.


Where have you BIN?

Recently I’ve been dealing with a situation where a local SME has been the target of a manual BIN attack.

For those playing at home, every credit card has a BIN (Banking Identification Number) that identifies the issuing financial institution. That BIN is typically the same across a wide range of cards and is publicly available, and there are other parts of the card number that are often universal. Basically, the last 8 or so number on your card are actually the only numbers that are unique, private and “secure”.

So a BIN attack essentially involves using the numbers that are known to reduce the amount of numbers that you have to guess –  I’m not a math guru but I think that means about 100 million possible variations on an 8 digit number. Which sounds like a lot, but if you think that in Australia there are about 13 million cards issued, and those cards are mostly issued by 4 banks, the odds start looking better. 

So traditionally you’ve had a robot just smash numbers into a payment form until something sticks, which using modern security practices, will result in the robot getting banned a long time before it strikes gold.

But, if you put a person on the case, suddenly, you can potentially put any number of these number in. It’s tedious, but unbelievably enough, this is something that is actually happening!

What to do?

In the case of these manual attempts, you can do a few different things. The most obvious are to limit access to your site to geographies where you actually do business, but what if you’re trying to expand or are already multinational?

In these cases, typically the best way to fight back is with authentication, limits and IP monitoring.

  1. Authentication means that we implement process to limit access to our endpoints to users that we know should access them. Whether this is user accounts or something similar, we add additional complexity to the process of entering data into the form, which makes it harder to do manually and therefore makes the already tedious process, even more so. The problem here is that this may also impact the experience of genuine users.
  2. Limits are restrictions on the entries to the endpoint, this might mean that if a user fails to successfully process a transaction, say 3 times, they are temporarily blocked from submitting a transaction. This method means that a genuine user is almost certainly not going to be impacted by the control, but a bad guy suddenly has next to no chance of using your form. 
  3. IP Monitoring software can trace the source of traffic to particular endpoints – and if you have someone from a single IP trying to process hundreds of transactions, we can block that IP address and then also block the IP network that they are coming from. This can potentially close out large threat ranges easily or flag with providers that the user is being naughty.


Unfortunately, the uphill battle against spam and bad guys is unrelenting, and there’s always new things happening. When times are hard, or in places where poverty is the norm, suddenly these very long-odds activities become appealing and it’s not ridiculous for a person to spend 8 hours a day poking a vulnerable form for a credit card number.

We need to meet the bad guys where they are, and as usual complacency or an expectation that a vulnerability isn’t worth exploiting is that place.