In thisOWASP Automated ThreatArticle we'll be highlightingOAT-001 Cardingwith some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Carding works to validate lists of stolen credit cards that lead to fraud. We'll wrap it up by highlightingF5 Bot Defenseto show how we solve this problem for our customers.
Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.
When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out..
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
OAT-001 Attack Demographics:
Data Commonly Misused
Other Names and Examples
Payment Cardholder Data
Elevated basket abandonment
Reduced average basket price
Higher proportion of failed payment authorisations
Disproportionate use of the payment step
Multiple failed payment authorizations from the same user and/or IP address and/or User Agent and/or session and/or deviceID/fingerprint
Credential Stuffing Demo:
In this demo we will be showing how attackers leverage browser automation using Selenium with Python to execute Carding attacks against the payment page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
Carding remains a very common practice to validate lists of stolen credit card or payment card data which ultimately leads to fraud. It is very preventable if appropriate anti-automation controls are put into place.