Learn more about our exciting new look and unrivaled approach to the market revealed at IHRSA.

How to Protect Your Gym Business from Online Attacks

It’s always a good idea to consider ways to protect your members’ data and financial information so your club continues to run smoothly and without interruption.

As clubs are starting to promote new members in preparation of busy season, bad actors are preparing too. Hackers are increasing their automated bot attacks on websites, including fitness clubs, hoping to validate stolen credit card numbers they can then use to make fraudulent purchases. This type of data breach activity can seriously disrupt your business, and even lead to your vendor disabling your service or your acquirer freezing your merchant ID.

Luckily when you use MYiCLUBonline for your online payments, there’s a quick and easy way to protect member data that still allows valid users to process payments. But first let’s talk about why that’s critical.

BIN Attacks: Crawling Your Members’ Credit Card Data

A bank identification number (BIN) is the first four to six digits on a credit card, which indicates a card’s issuing bank. A popular cyber attack among bad actors is to use known BINs to automatically populate and test the rest of the card number; known as a BIN attack.

When a bot runs a BIN attack, it tests a series of credit card numbers by running small transactions under $1.00 to see which card numbers work. The purpose of this testing is to determine working card numbers to then run larger fraudulent transactions later.

Through a BIN attack, bots can access financial data from your members, charging their credit cards fraudulently and otherwise wreaking havoc on your business.

Remediating a BIN Attack

Failing to implement a bot or spam prevention tool in your member management software leaves you vulnerable to BIN attacks and other malicious bot, spam, and hacker attacks. Let’s look at the progression of a BIN attack, and how to remediate it once it’s happened.

  1. When your club experiences a BIN attack, you may experience a sudden, high rate of hard card declines in your system.
  2. Upon further investigation, it’s determined that bad actors are exploiting a security vulnerability in the website vendor’s software.
    • For example, they could be using scripts to submit online join requests, abusing your “create agreement” API to identify valid credit card and CVV pairings. (Invalid pairings result in the hard decline.)
  3. Though it may not be your club under attack specifically, as the issue is being addressed by your vendor, the entire system will likely be disabled and taken offline.
  4. Once resolved, you’ll need to notify your members so they may take steps on their end to secure their financial accounts.
  5. You will likely be issued a new API key before you can start operating your member management system again.
  6. Changing your API key will disrupt all club locations serviced by your vendor and all clubs would then impacted by the key change, regardless if the bot attack affected their club’s system.

To help your business avoid the major disruption that a security breach can cause, it’s important to better secure your members’ data and guard against bots.

How to Protect Your Data and Prevent Bot Attacks with reCAPTCHA by Google

Google’s reCAPTCHA is a quick, easy-to-implement tool that protects your websites from fraud and abuse. It requires your users to validate that they’re human before they can proceed through an online transaction.

Here’s what reCAPTCHA looks like in action:

google recaptcha example for fitness clubs

If you don’t already have controls in place to stop bots in their tracks, consider implementing them before you experience an attack. By avoiding a breach, you also avoid having your payment processors freeze transactions — and keep your business running in the process.

reCAPTCHA is functionality inherent to MYiCLUBonline to help you prevent bot attacks. When you use MYiCLUBonline to process payments, you are enabling reCAPTCHA and providing your club with a much needed layer of security.

For any questions regarding reCAPTCHA setup in your member portal, get in touch with us here.