Page last updated at 16:00 GMT, Wednesday, 11 June 2008 17:00 UK

Conmen abuse web address checks

Laptop, SPL
Fraudsters tend to buy high value goods such as laptops

Loopholes in the way addresses are checked by online stores are helping fraudsters cash in, say experts.

The flaw means goods bought with stolen credit cards do not trigger security systems that check addresses.

Security firm The Third Man said it stumbled over fraudsters committing the crime while overseeing transactions on a retail website.

But the UK's payments association said it had seen no evidence that the novel crime was being carried out.

Card fraud

"It's pure chance that we picked this up," said Andrew Goodwill, director of anti-fraud firm The Third Man.

The scam exploits the mechanics of the Address Verification System (AVS) that many retail sites use to check the address of those using a credit card at an online store.

When carrying out address checks AVS compares the house number of a customer plus the digits in their post code to those input during a transaction.

For instance, if the Prime Minister bought goods at an online store with a credit card, AVS would use numbers in the address - 10 Downing St, SW1A 2AA - to help verify his identity.

In this case AVS would use 1012 as a shorthand ID check.

Retailers should never be reliant on just address verification
Jemma Smith, Apacs
By finding an alternative address that has the same house number and digits in a very different post code, fraudsters could convince AVS the address was genuine even though it was completely different.

Satisfied that the transaction was safe the shop would then ship the goods to the fraudster's address.

"Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk," said Mr Goodwill.

He predicted that if nothing was done to fix the loophole online retailers stood to lose millions.

Figures released by Apacs - the body that represents the UK payments industry - show that in the last year so-called "card not present" fraud totalled 291m.

"While we do completely agree that there's fraud happening, we and the police, as yet, have not seen any evidence suggesting this is being carried out in the real world at the moment," said Jemma Smith, a spokeswoman for Apacs.

Mr Goodwill said it knew of one gang in London using this technique and expected others to take up the scam soon.

Ms Smith said fraudsters preferred crimes that were easy to commit in large volumes. By contrast, she said, finding credit cards tied to addresses that match characteristics for places fraudsters have access to seemed very complex.

"Retailers should never be reliant on just address verification," she said. "They should always be undertaking additional checks particularly if they are a fraud prone retailer."

"AVS is one piece of the identity jigsaw," said Andrew McClelland, director of business development at the Interactive Media In Retail Group (IMRG) which represents online stores.

"It should not be relied on by itself," he said. "It's part of building up a picture of information and level of certainty a retailer has about a transaction."

Card details stolen in web hack
10 Jun 08 |  Technology
Same-day bank transfers planned
20 May 08 |  Working Lunch
Card fraud 'runs into millions'
13 May 08 |  Scotland
Plastic card fraud goes back up
12 Mar 08 |  Business
Fears over online banking checks
13 Nov 07 |  Technology
Net card fraud 'underestimated'
23 Apr 08 |  Business

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific