Fraudsters exploit card protection system

A potentially serious flaw in the Address Verification System is already being exploited by fraudsters

A system designed to help protect retailers and consumers from credit card fraud is being used by criminals to steal goods from retailers, experts warn.

A potentially serious flaw in the system is already being exploited by fraudsters and could result in millions of pounds of card crime.

The problem was spotted by a security analyst working for fraud protection specialist The 3rd Man during routing monitoring of daily card transactions.

The Address Verification System (AVS) is used by credit card companies and banks to verify the identity of a person claiming to own a credit card.

AVS checks the billing address of the credit card provided by the user with the address on file at the credit card company.

The system works by matching the house number and postcode numbers for each card issued, so '43 Crook's Close, B10 7GB' would result in an AVS number of 43107.

But retailers like Cotton Traders and TK Maxx have recently had their customer databases hacked, so fraudsters can simply obtain card details and use them for personal gain.

"We have observed fraudsters compromising and using card details where the genuine cardholder's address numerals exactly match the address they want delivery to," said Andrew Goodwill, director and fraud expert at The 3rd Man.

"So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address.

"This is a serious problem that fraudsters are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk."

Internet and mail order retailers often rely on AVS matches to help them determine that the order has been placed by the card holder.

By using compromised cards and address details fraudsters can virtually guarantee that, although the transaction appears genuine, the retailer actually has no realistic way of verifying the correct address details.

The Security Code check is also useful, but again has been compromised in these recent frauds.

"Another method of security is for the merchant to sign up for Verified by Visa or MasterCard SecureCode," said Goodwill.

"However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice.

"If this trend continues, and nothing is done about it, we will have multimillion pound losses to UK business and banks."