Criminals find flaw in credit authentication system

There is a serious flaw at the heart of a system which is supposed to protect retailers from credit card fraud, according to a fraud protection company The 3rd Man Group.

The group claims that criminals are taking advantage of an Address Verification System', which is used by companies and banks to verify the identity of a credit card holder. This works by matching the billing address of the credit card provided by the user with the address on file at the credit card company.

It works by matching the house number and postcode numbers of each card. For example the example of '43 Crooks Close, B10 7GB would result in an AVS number of 43107.

What fraudsters were doing was using card details which match the AVS number of their own address. For example, they would be successful if they had an address of 43 Burton Drive, S10 7FE, as they would also have an AVS of 43107.

"What we've observed is that fraudsters are now compromising and using card details where the genuine cardholder's address numerals exactly match the address they want delivery to," explained Andrew Goodwill, 3rd Man director and fraud expert.

"So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address. This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume.

"Retailers relying on AVS, or where a retailer will only deliver to the business address, are facing a potentially huge risk."

3rd Man said that internet retailers often relied on AVS matches to determine whether the card holder had placed the transaction, but with compromised details the retailer had no way of knowing whether it was correct.

Goodwill said that the Security Code' check was useful, but was also open to compromise in recent frauds.

"Another method of security is for the merchant to sign up for Verified By Visa or Mastercard SecureCode," explained Goodwill.

"However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice."

In a statement, the UK payments association APACS said that while it agreed fraud was happening, it and the police did not believe that this particular method was being carried out in the real world at the moment.

It said: "Fraudsters prefer crimes that are easy to commit in large volumes. By contrast, finding credit cards tied to addresses that match characteristics for places fraudsters have access to, seems to be a very complex method and you can question whether criminals would go to those lengths."

"Retailers should however, never rely on one method of verification," it added.