OWASP Automated Threats - OAT-001 Carding
Introduction:
In this OWASP Automated Threat Article we'll be highlighting OAT-001 Carding with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Carding works to validate lists of stolen credit cards that lead to fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.
Carding Description:
Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.
When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out..
OWASP Automated Threat (OAT) Identity Number
Threat Event Name
Carding
Summary Defining Characteristics
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
OAT-001 Attack Demographics:
| Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
| Entertainment | Many Users | Payment Cardholder Data | Card stuffing |
Elevated basket abandonment |
| Retail | Application Owner | Card verification |
Reduced average basket price | |
| Third Parties |
Higher proportion of failed payment authorisations | |||
| Disproportionate use of the payment step | ||||
| Increased chargebacks | ||||
| Multiple failed payment authorizations from the same user and/or IP address and/or User Agent and/or session and/or deviceID/fingerprint | ||||
Carding Demo:
In this demo we will be showing how attackers leverage browser automation using Selenium with Python to execute Carding attacks against the payment page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
In Conclusion:
Carding remains a very common practice to validate lists of stolen credit card or payment card data which ultimately leads to fraud. It is very preventable if appropriate anti-automation controls are put into place.
OWASP Links
OWASP Automated Threats to Web Applications Home Page
OWASP Automated Threats Identification Chart
OWASP Automated Threats to Web Applications Handbook
F5 Related Content
- Deploy Bot Defense on any Edge with F5 Distributed Cloud (SaaS Console, Automation)
- F5 Bot Defense Solutions
- The OWASP Automated Threats Project
- OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
- Operationlizing Online Fraud Detection, Prevention, and Response
- JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)
- How Attacks Evolve From Bots to Fraud Part: 1
- How Attacks Evolve From Bots to Fraud Part: 2
- F5 Distributed Cloud Bot Defense
Employee