OWASP Automated Threats

Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.

What is Card Cracking?

Brute force attack against application payment card processes to identify the missing values for start date, expiry date and/or card security code (CSC), also referred to in many ways, including card validation number 2 (CVN2), card validation code (CVC), card verification value (CV2) and card identification number (CID).

When these values are known as well as the Primary Account Number (PAN), OAT-001 Carding is used to validate the details, and OAT-012 Cashing Out to obtain goods or cash.

Card Cracking is also known by terms such as brute forcing credit card information, card brute forcing, credit card cracking and distributed guessing attack.


The symptoms of Card Cracking

  • 1
    Elevated basket abandonment
  • 2
    Higher proportion of failed payment authorizations
  • 3
    Disproportionate use of the payment step
  • 4
    Reduced average basket price
  • 5
    Increased chargebacks


Sectors targeted by Card Cracking

  • Retail


Can InfiSecure prevent Card Cracking?

InfiSecure automated threat protection system put a limiting the number of failed card authorization attempts per session/user / IP address/device/ fingerprint. InfiSecure uses the most advanced fingerprinting technology to identify and restrict automated usage by fingerprinting the user agent for its unique characteristics among many other attack vectors.