Document Actions
June 17 2008
AVS not so hot
Fraudsters could potentially exploit a crack in the AVS card fraud protection system and 3D Secure according to fraud specialists 3rd Man
A system designed to help protect retailers and consumers from credit card fraud is now being used by fraudsters to steal goods from retailers, according to fraud protection specialists the 3rd Man. The potentially serious flaw in the system, which fraudsters are already exploiting and could result in millions of pounds of card crime, was spotted by one of the 3rd Man’s fraud analysts as she was monitoring daily card transactions on behalf of a retailer.
Address Verification System (AVS) is used by credit card companies and banks to verify the identity of a person claiming to own a credit card. AVS checks the billing address of the credit card provided by the user with the address on file at the credit card company. It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.
“What we’ve observed is that fraudsters are now compromising and using card details where the genuine cardholder’s address numerals exactly match the address they want delivery to,” explains Andrew Goodwill, Director and fraud expert at the 3rd Man. “So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address.
“This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk.”
Internet and mail order retailers often rely on AVS matches to help them determine that the order has been placed by the card holder. By using compromised cards and address details fraudsters can virtually guarantee that although the transaction appears genuine, the retailer actually has no realistic way of verifying the correct address details. The Security Code check is also useful, but again has been compromised in these recent frauds.
“Another method of security is for the merchant to sign up for Verified by Visa or MasterCard SecureCode,” explains Goodwill. “However, this is also open to compromise as when a fraudster finds card details that have not been registered by the cardholder or 3D Secure the fraudster will simply register the card themselves, using a password of their choice.
“If this trend continues and nothing is done about it, we will have multi million pound losses to UK business and banks.
“More needs to be done to encourage retailers to engage with specialist fraud screening companies who detect irregular behaviour and will review unusual transactions manually. These frauds are usually detected.”
by Marcus Austin (Web Editor)
Card Fraud & 3DSecure
1 Bank pre-registers security on card
2 Bank writes to card holder explaining additional security measure. "Expect to receive security code in post soon. If you don't want it destroy securely. If you want to change it, do so"
3 Bank distributes security code by post
4 Customer uses security code as required. In meantime, anyone who doesn't have code will be unable to use card on-line
The banks have only held back on the grounds of cost. This is a remarkably short-term view, as pre-registration of all cards would go a long way towards offsetting on-going costs of fraud.
Select any passphrase
Also quite often the VbV form is in an embedded iframe in the merchant's web page, so unless I check carefully I don't know where the data is being sent to - it could be any web site!
So the additional security with VbV is minimal, and the potential for phishing attacks greatly enhanced. Nice...
In response to Anthony Carmell and the Article
I heavily agree with other comments on this artcle that enrollment should be mandatory, with issuers pre-enrolling customers in the service. This is common place in the Nordics.
And you should all remember, VbV and SecureCode are one layer of what should be multi layered authentication. If merchants and issuers are serious about stopping fraud and not just going through the motions, then these services should be combined with Risk based authentication or CAP/DPA services.
Perhaps it's just Barclays in the UK then...
https://verifiedbyvisa.barclays.co.uk/barclays/user_login/forgot_password_login.jsp?cycfg_affinity=debit.visa
The questions asked are:
Page 1:
* Card number
Page 2:
* Card expiry date
* Card security code (three digits on the back)
* Card holder name as printed on the card
* Card holder date of birth
Page 3:
* Create new password
* Re-enter new password
Done. I can now use that card for online VbV purchases.
As you can see, the only thing a thief who is holding my card needs to know is my DoB, which is pretty public information. This does not add any useful security to online transactions at all.
I'm also a little nervous of the Barclays UK system, given items in their FAQ section like:
"What are the system requirements for Verified by Visa?
Verified by Visa requires the use of Windows Microsoft® Internet Explorer 5.5 and 6.0, Windows Netscape® 7.1 and 7.2, Windows AOL ® 9, Windows Firefox® 1.0 and Macintosh Safari®."
Perhaps someone at Barclays should have a look at updating this advice? I've tried telling them, but apart from a premium-rate telephone line which I refuse to call, there is no way to contact their VbV team...
https://verifiedbyvisa.barclays.co.uk/barclays/docs/faq.jsp for the full details!
Barclays....
Expect changes in the not too distant future!
And I misunderstood, I thought you menat password changes for a registered card. You're right in the issue with stolen details for non pre-registered cards. It is a growing problem. Some solutions get round this. We have recently implemented a solution with a global bank that resolves this by asking for information when registering that only the cardholder would have access to.
Hopefully, if things proceed as they appear to be, this issue should become a thing of the past.
Fraud
Antony Comyns
www.hawesandcurtis.com