What Is Carding?

Carding (OWASP OAT-001) is an automated form of payment fraud in which fraudsters test a bulk list of credit/ debit card data against a merchant’s payment processing system to verify the stolen card details. Such card details are stolen from different payment channels, another application, or purchased from dark web marketplaces. Hackers also apply card cracking (OWASP OAT-010) practices to obtain credit card details.

Why Does Carding Happen?

The primary reason behind carding attacks is to illegally purchase goods or cash out the cards. Hackers deploy bots on payment processing pages to verify the validity of stolen card details. The authenticity of stolen card details are often unknown to the carders, and therefore, bots are deployed on payment processing pages to compose the correct set of card details. After identifying the right set of card details, hackers can sell them on dark web marketplaces or simply cash out (OWASP OAT - 012) the cards.

Mitigation of Carding

The Open Web Application Security Project (OWASP), a not-for-profit charitable organization focused on improving the security of software, suggests a list of countermeasures to address carding attacks. The list includes completely outsourcing all aspects of payments to providers that are equipped with adequate facilities to address carding attacks; increasing the minimum checkout value; and IP blacklisting. Dedicated bot mitigation solutions take a different approach and effectively eliminate carding attacks through deep user behavior, and intent analysis.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center