OWASP Automated Threat (OAT – 012) Cashing Out

Cashing Out - Buy goods or obtain cash utilizing validated stolen payment card or other user account data. Cashing out is one of the three ways used by bots (along with carding (OAT – 001) and card cracking (OAT – 010)) to exploit your website and committing online fraud.

What is Cashing Out?

Cashing out is a process of obtaining currency or higher-value merchandise via the application using stolen, previously validated payment cards or other account login credentials. Sometimes cashing out may be undertaken in conjunction with product return fraud.

Cashing out is also known by the terms such as money laundering, online credit card fraud, online payment card fraud, refund fraud, stolen identity refund fraud.

For Financial transactions, cashing out is usually a transfer of funds to a mule’s account. For payment cards, this activity may occur following carding of bulk stolen data or card cracking, and these goods are dropped at a reshipper’s address. The refunding of payments via non-financial applications is also included in cashing out.

The Symptoms of Cashing Out

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of cashing out. These include,

1. Increased chargebacks


2. Increased usage of interlinked accounts (e.g., same phone number, same password, identical or similar email address)


3. Same or similar accounts for both buyer and seller in sites that facilitate consumer-to-consumer (C2C) commerce


4. Increased demand for higher-value goods or services


5. Increased demand for a single supplier's products or services

Sectors Targeted by Carding

The major sectors targeted by cashing out security threat include entertainment, financial and government industry.

According to the Automated Threat Handbook for Web Applications published by OWASP, these attacks result in misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information.

Ways to Prevent Cashing Out Security Threat

OWASP suggests several possible countermeasures to help address the threat of cashing out. These include,

1. Entirely outsourcing all payment aspects to an appropriate payment service provider that has its countermeasures in place for cashing out, increasing the minimum checkout value, and removing payment by card entirely if alternatives are available. But these security checks are only the start of more extensive protection against fraudsters hunting down valid credit card numbers.


2. Consider randomizing the content and URL’s of payment submission pages and payment forms, linking these changes to the individual user’s session, verifying the changes at each payment step and restricting any identified automated usage.


3. Organizations can consider monitoring and limit the rate of card authorization attempts per session, user, IP address, device, and fingerprint. Due to this, automation attempts and malicious users are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.


4. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can also use address and card reputation services and add delays in the checkout steps for new and rare customers.


5. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users. But some dedicated bad actors will go beyond the lengths to straighten their cashing out effort.

Online businesses can also opt for a bot mitigation solution that prevents cashing out and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

These security measures help you build a more significant defense against cashing out frauds targeting stolen payment cards around the world.