web-carding
April 12, 2020

Playbook for Web Carding

By venkat

Multiple payment authorization attempts used to verify the validity of bulk stolen payment card data.

Description

Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

OTHER NAMES: Credential stuffing, Card stuffing;Credit card stuffing;Card verification

SOURCE: https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

Good reference case with mitigation steps – https://www.bleepingcomputer.com/news/security/the-north-face-resets-passwords-after-credential-stuffing-attack/

Playbook

CLICK FOR LIVE EXPERIENCE

Mitigations

All the steps at https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

References

Real attack instances

https://www.itnews.com.au/news/shipbuilder-austal-was-hacked-with-stolen-creds-sold-on-dark-web-546165