A system designed to help protect retailers and consumers from credit card fraud is now being used by fraudsters to steal goods from retailers, according to fraud protection specialists the 3rd Man. The potentially serious flaw in the system, which fraudsters are already exploiting and could result in millions of pounds of card crime, was spotted by one of the 3rd Man’s fraud analysts as she was monitoring daily card transactions on behalf of a retailer.
Address Verification System (AVS) is used by credit card companies and banks to verify the identity of a person claiming to own a credit card. AVS checks the billing address of the credit card provided by the user with the address on file at the credit card company. It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.
With retailers like Cotton Traders and TK Maxx having their customer databases hacked, fraudsters can simply obtain card details and use them for personal gain.
"What we’ve observed is that fraudsters are now compromising and using card details where the genuine cardholder’s address numerals exactly match the address they want delivery to," explains Andrew Goodwill, Director and fraud expert at the 3rd Man. "So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address.
"This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk."
Internet and mail order retailers often rely on AVS matches to help them determine that the order has been placed by the card holder. By using compromised cards and address details fraudsters can virtually guarantee that although the transaction appears genuine, the retailer actually has no realistic way of verifying the correct address details. The Security Code check is also useful, but again has been compromised in these recent frauds.
"Another method of security is for the merchant to sign up for Verified by Visa or MasterCard SecureCode," explains Goodwill. "However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice.
"If this trend continues and nothing is done about it, we will have multi million pound losses to UK business and banks.
"More needs to be done to encourage retailers to engage with specialist fraud screening companies who detect irregular behaviour and will review unusual transactions manually. These frauds are usually detected."
In April 2008, the 3rd Man issued statistics which showed that CNP fraud in the UK is higher than official statistics suggest1 and is in danger of getting worse. Over £500 million of fraud was attempted during 2007. This information supported a BBC investigation into card not present crime.
|
Re: New Security Attacks Using Credit Card Fraud Protecti...