OAT-001 Carding

Carding is an automated threat. The OWASP Automated Threat Handbook - Web Applications (pdf, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The threat identification chart helps to correctly identify the automated threat.


OWASP Automated Threat (OAT) Identity Number


Threat Event Name


Summary Defining Characteristics

Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.

Indicative Diagram

Indicative diagram for OAT-001


Lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details. The quality of stolen data is often unknown, and Carding is used to identify good data of higher value. Payment cardholder data may have been stolen from another application, stolen from a different payment channel, or acquired from a criminal marketplace.

When partial cardholder data is available, and the expiry date and/or security code are not known, the process is instead known as OAT-010 Card Cracking. The use of stolen cards to obtain cash or goods is OAT-012 Cashing Out.

Other Names and Examples

Card stuffing; Credit card stuffing; Card verification

See Also


CAPEC Category / Attack Pattern IDs

  • 210 Abuse of Functionality

CWE Base / Class / Variant IDs

  • 799 Improper Control of Interaction Frequency
  • 837 Improper Enforcement of a Single, Unique Action

WASC Threat IDs

  • 21 Insufficient Anti-Automation
  • 42 Abuse of Functionality

OWASP Attack Category / Attack IDs

  • Abuse of Functionality

Return to OWASP Automated Threats to Web Applications Project.