OWASP Automated Threat (OAT – 001) Carding

Carding – Multiple payment authorizations attempts used to verify the validity of bulk stolen payment card data.

What is Carding?

Carding is a filtering process to determine whether the stolen credit cards are valid. Wherein a list of full credit and/or debit card data are tested against a merchant's payment processes to identify valid card details. The quality of stolen data is always unknown, and carding is used to identify useful data of higher value.

Payment cardholder data may have been stolen from another application, stolen from a different payment channel or acquired from a criminal marketplace. Carding fraud often goes undetected by the cardholder until it is too late when their funds are spent, transferred, or otherwise disappeared. Bad actors do this by using bots that send payment authorization attempts with small, test purchases through a website or application that is not sufficiently protected.

Carding is also known by terms such as card stuffing, credit card stuffing and card verification.

The Symptoms of Carding

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of carding. These include,

1. Elevated basket abandonment


2. Reduced average basket price


3. A higher proportion of failed payment authorizations


4. Disproportionate use of the payment step


5. Increased chargebacks


6. Multiple failed payment authorizations from the same user and/or IP address and/or user against and/or session and/or device ID/fingerprint

Sectors Targeted by Carding

The major sectors targeted by carding security threat include entertainment and retail industry.

According to OWASP, these attacks result in misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information.

Ways to Prevent Carding Security Threat

OWASP suggests several possible countermeasures to help address the threat of carding. These include,

1. Entirely outsourcing all payment aspects to an appropriate payment service provider (PSP) that has its countermeasures in place for carding, increasing the minimum checkout value, and removing payment by card entirely if alternatives are available. But these security checks are only the start of a broader, more formidable protection against fraudsters hunting down valid credit card numbers.


2. Consider randomizing the content and URL’s of payment submission pages and payment forms, linking these changes to the individual user’s session, verifying the changes at each payment step and restricting any identified automated usage.


3. Organizations can consider monitoring and limit the rate of card authorization attempts per session, user, IP address, device, and fingerprint. Due to this, automation attempts and malicious users are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.


4. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can also use an address and card reputation services and add delays in the checkout steps for new and rare customers.


5. An even stricter approach is to block unknown or rare customers is removing guest checkout options, which forces new users to create a verified account.


6. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

These are the primary security checks against carding, but dedicated fraudsters will go beyond the lengths to straighten their carding effort, often operating through privacy browsers, VPN, proxy servers to blur their online identity. Some exposed carding attempts even reveal evidence of document forging to verify stolen card numbers. All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents carding and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

These security measures help you build a greater defense against carding frauds targeting credit card numbers around the world.