Carding (OWASP OAT-001) is an automated form of payment fraud in which fraudsters test a bulk list of credit/debit card data against a merchant’s payment processing system to verify the stolen card details. Such card details are stolen from different payment channels, another application, or purchased from dark web marketplaces. Hackers also apply card cracking (OWASP OAT-010) practices to obtain credit card details.
The primary reason behind carding attacks is to illegally purchase goods or cash out the cards. Hackers deploy bots on payment processing pages to verify the validity of stolen card details. The authenticity of stolen card details are often unknown to the carders, and therefore, bots are deployed on payment processing pages to compose the correct set of card details. After identifying the right set of card details, hackers can sell them on dark web marketplaces or simply cash out (OWASP OAT - 012) the cards.
The Open Web Application Security Project (OWASP), a not-for-profit charitable organization focused on improving the security of software, suggests a list of countermeasures to address carding attacks. The list includes completely outsourcing all aspects of payments to providers that are equipped with adequate facilities to address carding attacks; increasing the minimum checkout value; and IP blacklisting. Dedicated bot mitigation solutions take a different approach and effectively eliminate carding attacks through deep user behavior, and intent analysis.