Playbook for Web Carding
Multiple payment authorization attempts used to verify the validity of bulk stolen payment card data.
Description
Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.
OTHER NAMES: Credential stuffing, Card stuffing;Credit card stuffing;Card verification
SOURCE: https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
Good reference case with mitigation steps – https://www.bleepingcomputer.com/news/security/the-north-face-resets-passwords-after-credential-stuffing-attack/
Playbook
Mitigations
All the steps at https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf