OWASP Automated Threats - OAT-001 Carding


In this OWASP Automated Threat Article we'll be highlighting OAT-001 Carding with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Carding works to validate lists of stolen credit cards that lead to fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

Carding Description:

Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out..

OWASP Automated Threat (OAT) Identity Number


Threat Event Name


Summary Defining Characteristics

Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.

OAT-001 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Entertainment Many Users Payment Cardholder Data Card stuffing

Elevated basket abandonment

Retail Application Owner   Card verification

Reduced average basket price

  Third Parties    

Higher proportion of failed payment authorisations

        Disproportionate use of the payment step
        Increased chargebacks
        Multiple failed payment authorizations from the same user and/or IP address and/or User Agent and/or session and/or deviceID/fingerprint

Carding Demo:

In this demo we will be showing how attackers leverage browser automation using Selenium with Python to execute Carding attacks against the payment page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.





In Conclusion:

Carding remains a very common practice to validate lists of stolen credit card or payment card data which ultimately leads to fraud. It is very preventable if appropriate anti-automation controls are put into place.


OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content

Updated Apr 23, 2024
Version 4.0

Was this article helpful?

No CommentsBe the first to comment