What Is Carding?

CardingCarding (OWASP OAT-001) is an automated form of payment fraud in which fraudsters test a bulk list of credit/ debit card data against a merchant’s payment processing system to verify the stolen card details. Such card details are stolen from different payment channels, another application, or purchased from dark web marketplaces. Hackers also apply card cracking (OWASP OAT-010) practices to obtain credit card details.

Why Does Carding Happen?

The primary reason behind carding attacks is to illegally purchase goods or cash out the cards. Hackers deploy bots on payment processing pages to verify the validity of stolen card details. The authenticity of stolen card details are often unknown to the carders, and therefore, bots are deployed on payment processing pages to compose the correct set of card details. After identifying the right set of card details, hackers can sell them on dark web marketplaces or simply cash out (OWASP OAT - 012) the cards.

Mitigation of Carding

The Open Web Application Security Project (OWASP), a not-for-profit charitable organization focused on improving the security of software, suggests a list of countermeasures to address carding attacks. The list includes completely outsourcing all aspects of payments to providers that are equipped with adequate facilities to address carding attacks; increasing the minimum checkout value; and IP blacklisting. Dedicated bot mitigation solutions take a different approach and effectively eliminate carding attacks through deep user behavior, and intent analysis.

Radware’s Bad Bot Analyzer

Is Your Website Secure Against Carding Bot Attacks? Find Out Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center