OWASP Automated Threats

Buy goods or obtain cash utilizing validated stolen payment card or other user account data.

What is Cashing Out?

Obtaining currency or higher-value merchandise via the application using stolen, previously validated payment cards or other account login credentials. Cashing Out sometimes may be undertaken in conjunction with product return fraud. For financial transactions, this is usually a transfer of funds to a mule’s account. For payment cards, this activity may occur following OAT-001 Carding of bulk stolen data or OAT-010 Card Cracking, and the goods are dropped at a reshipper’s address. The refunding of payments via non-financial applications (e.g. tax refunds, claims payment) is also included in Cashing Out.

Obtaining other information of value from the application is instead OAT-011 Scraping.

Cashing out is also known by terms such as money laundering, online credit card fraud, online payment card fraud, refund fraud, stolen identity refund fraud (SIRF).


The symptoms of Cashing Out

  • 1
    Increased chargebacks
  • 2
    Increased usage of interlinked accounts (e.g. same phone number, same password, same or similar email address)
  • 3
    Same or similar accounts for both “buyer” and “seller” in sites that facilitate consumer-to-consumer (C2C) commerce
  • 4
    Increased demand for higher-value goods or services
  • 5
    Increased demand for a single supplier’s goods or services


Sectors targeted by Cashing Out

  • Entertainment
  • Financial
  • Government


Can InfiSecure prevent Cashing Out?

InfiSecure’s advanced bot mitigation technology can stop cashing out attempts by online bots. InfiSecure can identify and restrict automated usage by fingerprinting the user agent for its unique characteristics and other attack vectors. InfiSecure can even puts a limit to the number of payments / transactions per session / user / IP address / device / fingerprint.