Conmen abuse web address checks

Fraudsters tend to buy high value goods such as laptops

Loopholes in the way addresses are checked by online stores are helping fraudsters cash in, say experts.

The flaw means goods bought with stolen credit cards do not trigger security systems that check addresses.

Security firm The Third Man said it stumbled over fraudsters committing the crime while overseeing transactions on a retail website.

But the UK's payments association said it had seen no evidence that the novel crime was being carried out.

Card fraud

"It's pure chance that we picked this up," said Andrew Goodwill, director of anti-fraud firm The Third Man.

The scam exploits the mechanics of the Address Verification System (AVS) that many retail sites use to check the address of those using a credit card at an online store.

When carrying out address checks AVS compares the house number of a customer plus the digits in their post code to those input during a transaction.

For instance, if the Prime Minister bought goods at an online store with a credit card, AVS would use numbers in the address - 10 Downing St, SW1A 2AA - to help verify his identity.

In this case AVS would use 1012 as a shorthand ID check.

Retailers should never be reliant on just address verification Jemma Smith, Apacs

By finding an alternative address that has the same house number and digits in a very different post code, fraudsters could convince AVS the address was genuine even though it was completely different.

Satisfied that the transaction was safe the shop would then ship the goods to the fraudster's address.

"Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk," said Mr Goodwill.

He predicted that if nothing was done to fix the loophole online retailers stood to lose millions.

Figures released by Apacs - the body that represents the UK payments industry - show that in the last year so-called "card not present" fraud totalled £291m.

"While we do completely agree that there's fraud happening, we and the police, as yet, have not seen any evidence suggesting this is being carried out in the real world at the moment," said Jemma Smith, a spokeswoman for Apacs.

Mr Goodwill said it knew of one gang in London using this technique and expected others to take up the scam soon.

Ms Smith said fraudsters preferred crimes that were easy to commit in large volumes. By contrast, she said, finding credit cards tied to addresses that match characteristics for places fraudsters have access to seemed very complex.

"Retailers should never be reliant on just address verification," she said. "They should always be undertaking additional checks particularly if they are a fraud prone retailer."

"AVS is one piece of the identity jigsaw," said Andrew McClelland, director of business development at the Interactive Media In Retail Group (IMRG) which represents online stores.

"It should not be relied on by itself," he said. "It's part of building up a picture of information and level of certainty a retailer has about a transaction."