April 12, 2020

Playbook for Web Carding

By venkat

Multiple payment authorization attempts used to verify the validity of bulk stolen payment card data.

Description

Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

OTHER NAMES: Credential stuffing, Card stuffing;Credit card stuffing;Card verification

SOURCE: https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

Good reference case with mitigation steps – https://www.bleepingcomputer.com/news/security/the-north-face-resets-passwords-after-credential-stuffing-attack/

Playbook

Mitigations

All the steps at https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

References

Real attack instances

https://www.itnews.com.au/news/shipbuilder-austal-was-hacked-with-stolen-creds-sold-on-dark-web-546165

TagsCard stuffing Card verification Credit card stuffing

About The Author

venkat

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.