This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OAT-010 Card Cracking

From OWASP
Jump to: navigation, search


This is an automated threat. To view all automated threats, please see the Automated Threat Category page. The OWASP Automated Threat Handbook - Wed Applications (pdf, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The threat identification chart helps to correctly identify the automated threat.

Definition

OWASP Automated Threat (OAT) Identity Number

OAT-010

Threat Event Name

Card Cracking

Summary Defining Characteristics

Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.

Indicative Diagram

OAT-010 Card Cracking.png

Description

Brute force attack against application payment card processes to identify the missing values for start date, expiry date and/or card security code (CSC), also referred to in many ways, including card validation number 2 (CVN2), card validation code (CVC), card verification value (CV2) and card identification number (CID).

When these values are known as well as the Primary Account Number (PAN), OAT-001 Carding is used to validate the details, and OAT-012 Cashing Out to obtain goods or cash.

Other Names and Examples

Brute forcing credit card information; Card brute forcing; Credit card cracking; Distributed guessing attack

See Also

Cross-References

CAPEC Category / Attack Pattern IDs

  • 112 Brute Force
  • 210 Abuse of Functionality

CWE Base / Class / Variant IDs

  • 799 Improper Control of Interaction Frequency
  • 837 Improper Enforcement of a Single, Unique Action

WASC Threat IDs

  • 11 Brute Force
  • 21 Insufficient Anti-Automation
  • 42 Abuse of Functionality

OWASP Attack Category / Attack IDs