Do we sink into paranoia and give it up as a bad job.

Joking aside, these scammers are a real danger and even when we follow the prescribed systems as we are advised to do, when they fall down, the card processors ultimately hold us responsible so we get the charge back.


C&P from BBC

http://news.bbc.co.uk/2/hi/technology/7448187.stm

Loopholes in the way addresses are checked by online stores are helping fraudsters cash in, say experts.

The flaw means goods bought with stolen credit cards do not trigger security systems that check addresses.

When carrying out address checks AVS compares the house number of a customer plus the digits in their post code to those input during a transaction.

For instance, if the Prime Minister bought goods at an online store with a credit card, AVS would use numbers in the address - 10 Downing St, SW1A 2AA - to help verify his identity.

In this case AVS would use 1012 as a shorthand ID check.
By finding an alternative address that has the same house number and digits in a very different post code, fraudsters could convince AVS the address was genuine even though it was completely different.
Satisfied that the transaction was safe the shop would then ship the goods to the fraudster's address.

Obviously the point is not to rely on these checks alone but nice of the BBC to educate the masses on the loophole.

I wouldn't have thought it is something that fraudsters can do regularly as having to find a stolen card and take control of an address with the same numbers in it can't be that easy, can it?

But you're right JamieM, nice of the BBC to give fraudsters new ideas!

I cant believe that security company just figured that out !

I would of considered it a well known fact.

Not only in the way described but also fraudsters distorting delivery addresses to match the card holders AVS address, which is why its a good idea to always verify the postcode for delivery is valid.

There's nothing to prevent the retailers from using additional forms of checking, other than just to rely on payment gateway to do it all.

Its one thing having your card stolen so criminals can find out your CVC2 number (because they have the card) but its another thing entirely to leave it with some document that identifies ones address.

Surely VBV/Securecode is the best answer here, from the website's perspective.

Its one thing having your card stolen so criminals can find out your CVC2 number (because they have the card) but its another thing entirely to leave it with some document that identifies ones address.

Surely VBV/Securecode is the best answer here, from the website's perspective.

If someone stole or found your wallet, not only would they have your credit card, but they would probably have your driving licence, which has got your full address on it. Also, if cards are stolen from a house or the postal system, they will of course know the address.

Definitely agree with your point about VBV and Securecode though - it would just be nice if it worked properly.

I wonder when we will be able to enter PINs online to pay? It would be in the banks' interests to invest in getting the technology and security right for it, because if it works they will never be liable for a fraud, because the PIN is used.

It would be in the banks' interests to invest in getting the technology and security right for it, because if it works they will never be liable for a fraud, because the PIN is used.

They are not liable now, they just chargeback to seller (us) and they will no doubt continue to do so.

If someone stole or found your wallet, not only would they have your credit card, but they would probably have your driving licence, which has got your full address on it. Also, if cards are stolen from a house or the postal system, they will of course know the address.

Definitely agree with your point about VBV and Securecode though - it would just be nice if it worked properly.

I wonder when we will be able to enter PINs online to pay? It would be in the banks' interests to invest in getting the technology and security right for it, because if it works they will never be liable for a fraud, because the PIN is used.

To use online banking with Barlcays, you need a USB machine which reads your bank card in addition to the regular security measures.

If someone stole or found your wallet, not only would they have your credit card, but they would probably have your driving licence.That is exactly why I never have any address details inmy wallet. I never carry my driving licence or any other form of id with my address on it.

We have known about this one for ages. It is not anything new and I am surprised Third Man do not have something in place already. And deniser it is duprising easy to get a house that has significant similar coverage on postcodes.

For say example ZZ64 6ZZ is our company postcode. We have no other numbers in our address.

The AVS is : 646

For people who do not have house numbers like a lot of rural arears there are only 999 possible AVS numbers because of the way the post code is structured.

We have a mechanism that monitors for this type of fraud and it works quite well in catching in the early stages.

However as I have said at least a billion times the electronic checks, even 3D secure should never be 100% relied on. Common sense is still you best tool to stop fraud.