Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee


In this OWASP Automated Threat Article we'll be highlighting OAT-001 Carding with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Carding works to validate lists of stolen credit cards that lead to fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

Carding Description:

Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out..

OWASP Automated Threat (OAT) Identity Number


Threat Event Name


Summary Defining Characteristics

Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.


OAT-001 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Entertainment Many Users Payment Cardholder Data Card stuffing

Elevated basket abandonment

Retail Application Owner   Card verification

Reduced average basket price

  Third Parties    

Higher proportion of failed payment authorisations

        Disproportionate use of the payment step
        Increased chargebacks
        Multiple failed payment authorizations from the same user and/or IP address and/or User Agent and/or session and/or deviceID/fingerprint


Credential Stuffing Demo:

In this demo we will be showing how attackers leverage browser automation using Selenium with Python to execute Carding attacks against the payment page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.



In Conclusion:

Carding remains a very common practice to validate lists of stolen credit card or payment card data which ultimately leads to fraud. It is very preventable if appropriate anti-automation controls are put into place.


OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content

F5 Bot Defense Solutions

The OWASP Automated Threats Project

OWASP Automated Threats - CAPTCHA Defeat (OAT-009)

Operationlizing Online Fraud Detection, Prevention, and Response

JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)

How Attacks Evolve From Bots to Fraud Part: 1

How Attacks Evolve From Bots to Fraud Part: 2

F5 Distributed Cloud Bot Defense

Version history
Last update:
‎26-Aug-2022 16:03
Updated by: