back to article Fraudsters pool data to beat plastic fraud checks

Credit card conmen have developed a technique for making fraudulent purchases in the UK appear more legitimate. The approach relies on subverting the address verification system (AVS), one of the main components used to verify card purchases. Address verification, along with the card security code number printed on the back of …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Credit card companies to blame again

    You know in Holland merchants got sick of the credit card companies failing to do anything to fix it, and use iDEAL instead.

    You make the order, you select 'pay by iDEAL', and your bank from a list of banks. You're then taken to your bank site, your bank of course has a one time keypad to prevent identity theft. You verify the transaction to the banks site using your one time keypad. Transaction done. The bank sends the money.

    We're getting SEPA bank transfers too, by 2010 they will be the only transfers in the Euro zone. So you'll be able to order anything by systems like iDEAL in any Euro zone country. SWIFT will be gone in Eurozone Europe.

    UK is not part of Euro zone, it's not part of SEPA (SEPA is EURO only currently), and most of your banks don't use the one time tokens anyway. So it doesn't help you, other than to show you that there are fixes for these problems and they're not being done in the UK.

  2. dervheid
    Unhappy

    Where there's a will...

    It seems there's there's more effort being put in by the crims to subvert the system, then there is by the banks / credit companies et al to secure electronic transactions. The current cross-checks would now appear worthless.

    All customers are going to need to be issued with a card reader in order to be able to produce a unique transaction verification code for each transaction.

    Now, I'm sure that someone will point out the security holes in that, but there needs to be a positive response to this problem, fast, or e-commerce is going to die on it's arse.

  3. Anonymous Coward
    Coat

    Huh

    Bloody fraudsters, just can't trust anyone now-a-days. Not like when I were 't lad.

  4. Anonymous Coward
    Anonymous Coward

    And now the end is near ...

    Time to ditch the cards and stick with cash in the future.

  5. Anonymous John

    defending against the approach may be very difficult.

    Don't really see why. Post code and house number will uniquely identify all but a few homes.

  6. Rob
    Stop

    I call bullshit!

    First off: AVS is, and has been, a broken piece of crap which works spottily at best. Especially, but not only, when using cards in a country other than their country of origin.

    Second: "the use of social engineering tricks to *intimidate* call centre staff into handing over details,". Intimidate? Yeah, right. Ever tried to be assertive with a call centre moron? Any social engineer who managed to surmount the langauge barrier would be far more likely to persuade or cajole, rather than intimidate.

    Third: Oooh, the conspiracy! They're collaborating with each other and sharing data! Help me, Flash Gordon!

    So what do we know? We know that a so-called "credit card fraud protection specialist" has put out a press release making much of the fact that in a sample of probably thousands or tens of thousands of fraudulent CNP transactions, they found 50 or so cases where the numbers in the shipping address happened to match the numbers in the billing address. In London. A city where, because of the way the postcodes are structured, numbers tend to repeat quite often: N1, EC1, W1, WC1, SE1, SW1 etc etc etc...

  7. Wize

    Perhaps they should use the whole postcode

    Even if they did the whole address, it wouldn't cover two people in the same flat.

  8. Nigel Sedgwick

    Whole Postcode?

    Why don't the card companies check the whole postcode which, with the house number, is guaranteed to be unique?

    Best regards

  9. Anonymous Coward
    Anonymous Coward

    Re: And now the end is near ...

    I ditched my credit card (only ever had one at any given time) over two years ago and can't say as I've missed it. You can always get internet prices in stores and more often than not a cash discount on top.

    Even though the bank has been explicitly, in fact very explicitly, told that I don't want one they haven't got the message and still keep sending one with a handy little reminnder to activate it when I log on to their web site.

  10. Ferry Boat

    Bad AVS

    That's a rubbish system. Just checking the numbers must give so many collisions. I don't quite expect an MD5 or SHA of the address but surely something between the two extremes is possible. Badly chosen system open to exploitation shocker.

  11. Tom Chiverton Silver badge

    @Nigel

    My in-laws don't have a house number

  12. Rhyd

    RE Whole address / whole postcode

    AVS was designed for card terminals, which only have buttons with numbers.

    For a long time I've thought that a good e-commerce solution would be for credit / debit card companies to maintain a list of delivery addresses. When ordering, a customer chooses from the addresses registered with their card. This would also avoid the annoying "solution" of only allowing goods to be delivered to the registered card address - I'm at work all day, why would I want anything delivered to my house?

  13. Francis Vaughan
    Thumb Down

    Re: Whole postcode?

    What, you mean check the letters as well as the numbers? Oh my goodness!!!

    ...

    06 AvsCheckCode PIC 9999

    ...

    What is a poor programmer to do? This could take _years_.

  14. Ferry Boat

    I am not a number I am a name

    The last place I lived in had no house number or postcode. So using my UK card in the UK would have checked no numbers. I suppose I'd have been pretty well protected in that case. Now I just have one number, 7. That would also make me quite safe as a postcode (or at least all the ones I've seen) has at least two numbers.

    It truly is a rubbish system though.

  15. Anonymous Coward
    Happy

    @ A J Stiles

    I doubt housenumber/postcode is as unique one might hope...

    1, london road, manchester M1 1AA

    1, manchester road london NW1 1AA

    1, Gadzooks Crescent, Leeds L1 1ZQ

    1, Fraud Street, Truro TR1 1AQ

    and so on, through the other 4745520000 combinations.... :-)

    The /whole/ post code is much more unique - but presumably some genius decided to scan only the numeric components.

  16. Dale

    @Rhyd

    Some card companies do maintain a list of allowed delivery addresses, but I didn't realise this either until I ordered something on a site that would only deliver to the registered card billing address which is inconveninent for me (card registered at home address but I'd prefer to have packages delivered to me at the office). Helpfully the site pointed out that some card companies do allow you to register an alternative delivery address. So I rang up AmEx to enquire and the very cheerful chap on the other end was happy to oblige, like it was a very common thing to do. I don't know why they don't publicise it more.

  17. Gareth Jones Silver badge
    Thumb Down

    There's a simple solution

    If credit card companies would only allow transactions through their own websites (in a similar style to Paypal) then 99% of potential fraud could be removed. This is such an obvious solution that I can only assume that the cc companies have though of it. Therefore I am forced to the conclusion that the card issuers have ulterior motives for not implementing such a system.

  18. Nigel Sedgwick

    More on Whole Postcode

    @Tom, who wrote: "My in-laws don't have a house number."

    Then they either have a unique post code (so enter house number 0), or are (with my suggestion) being defrauded with the co-operation of a neighbour who shares their postcode.

    @Rhyd, who wrote: "AVS was designed for card terminals, which only have buttons with numbers."

    On number of buttons, likewise my mobile phone. However, one can enter all letters with multiple key presses, in a way understood by most people. Alternatively (though less easy to understand) one could enter enough 3/4-letter groups to reduce the entropy (residual 'unknownness') sufficiently to make the attack somewhere between useless and much less useful.

    In any case, the attack mentioned by El Reg refers to e-commerce. Therefore, for goods physically delivered, the postcode will have been entered using a 100+ character keyboard; likewise the postcode would/could be entered for goods downloaded or otherwise not delivered by post, but there is no fraud-reducing check then possible, based on the address (that is for fraudster who knows the cardholders address).

    @Wize, who wrote: "Even if they did the whole address, it wouldn't cover two people in the same flat."

    Why don't you try that one on your flat-mate, and see whether his/her credit card company comes after either you, for the crime, or holds your flat-mate to pay the transacted money.

    @Ferry Boat

    Interesting; are you afloat?

    There are, of course, exceptions to every scheme. And sometimes a bit of inconvenience for those exceptions. However, if there is a reasonably sound security system based on delivery address, why not support credit card companies (and their cardholders) benefitting from it as much as is practical.

    Best regards

  19. Anonymous Coward
    Stop

    Forgot to mention CV2

    A crappy article. I work extensively in this industry and without the CV2 number the house number and post code are largely irrelevant. As a minimum this should always be checked. Yes there are floors in the AVS mechanism but now with 3D secure most of these issues are circumvented. No system is infalible it is a case of damage limitation. Therefore to say there is floors is AVS checking is obvious.

  20. Alan Parsons
    Happy

    Electric 'thumb' and 'thumb jammer'

    Sigh... The fraudsters will always be one step ahead. I work in this industry and can tell you that the crims will always be one up because they don't have to do f**king change management. Their code is agile and flexible. Ours can only be changed after peer review, endless paperwork, arguments, change window agreements, two or more 'canned' attempts due to other operational issues near the target time, beurocracy, accountability blah blah meh whatever.

    Seriously we'd have a lot more luck if we got our development team to log onto a board somewhere and ask

    h1 4ll u l3GendAry hax0rz, plz cAn w3 hAs sum c0ol War3Z to <ST0p> teh Fr4udy-p33ps? lol xxx lol xxz

    Then download whatever we get offered and just roll that out into production.

  21. RW
    Dead Vulture

    Corporate short-sightedness

    "there's more effort being put in by the crims to subvert the system, then there is by the banks / credit companies et al to secure electronic transactions."

    This raises the interesting point that many large, important corporations are so fixated on profits or share price or something of the sort that they are no longer looking to the future and upgrading their infrastructure.

    Not the banks of Europe, however, who seem to understand that if you are in banking, you can't sit there and twiddle your fingers trying to preserve a 35-year old IT system that needs total replacement.

    BT, btw, along with many other ISPs, is guilty of the same fault: it's clear that the present infrastructure is inadequate: why aren't they actively working to run an optical fiber into all customers' premises? Instead they fuck around with that ludicrous Phorm nonsense and bandwidth capping.

    Indeed, if the service providers won't take the initiative, maybe governments will have to step in, since the intertubes is ever more important and failure to upgrade infrastructure damages the national interest.

    Hasn't South Korea run fiber everywhere already? Now there's a country that knows what to do.

    Dead vulture because that's what a large number of corporate execs should look like!

  22. Wize

    @Nigel Sedgwick

    "Why don't you try that one on your flat-mate, and see whether his/her credit card company comes after either you, for the crime, or holds your flat-mate to pay the transacted money."

    I meant block of flats rather than same flat number. The flat I'm in doesn't even have flat numbers and there is always the chance of having two people with the same last name. But then, in a two flight block of flats its easy to find them.

  23. Anonymous Coward
    Anonymous Coward

    I suppose this is what you get with ALPHA postcodes!

    We here in the USA have nice numeric ZIP (post) codes. They are asked all the time, like when I put $75 worth of gas (petrol) in my vehicle (over $4.21/(us)gal). Of course, a single zip code has lots of addresses (typically served from a single post office), but it isn't a PARTIAL chunk of the code that changes little.

    Sorry that the UK, Canada, Oz, NZ stuck with letters and numbers for post codes. They should have known better.

    Some people just don't understand.

    Then again, a better way of entering a confirmation number might be the last 5 digits of a phone number or some such.

  24. H

    Merchants don't want to put off their customers

    99% of online retailers want sheer volume of sales, and then take care of the fraud monitoring internally after the sales have come in. The more complex the payment system/shopper verification the greater the impact on sales.

    It is generally only the small to medium sized businesses that go from entirely complacent to fanatical about fraud overnight, after being hit by a few charge backs, and begin leaping up and down at the supposed ineffectiveness of the card schemes.

    Enrol in 3D Secure and train your order fulfillment staff properly. That's all there is to it.

    Let the seller beware.

  25. Mike

    CV2

    Oh, you mean that number on the back that nearly every merchant demands these days, so it is almost certainly stored right next to the card number in the database that just went walkies? That one? How, exactly, does that help?

  26. Anonymous Coward
    Anonymous Coward

    Re: Forgot to mention CV2

    >I work extensively in this industry

    "Deity of your choice" help us if you do, if so then your comment explains why only numerics are taken into account, it's "flaws" you illiterate moron not "floors". No wonder you can't parse strings.

  27. Anonymous Coward
    Anonymous Coward

    @AC

    "Yes there are floors in the AVS mechanism"

    Let's just hope the fraudsters don't find walls and ceilings in there as well.

  28. Oldfogey
    Paris Hilton

    @More on Whole Postcode

    More misunderstanding of Postcodes. They refer to anything from one to a dozen properties, thus increasing the chance of finding a match.

    Further chances to match can easily be generated by using slightly wrong postcodes - 1 The Road XX1 2XX could be written as 2XX, and would still be delivered to the Correct house at 1 The Road.

    On numberless houses, there are five properties grouped at the end of our lane, none has a house number, all have the same Post Code. Just to make it extra interesting, the lane doesn't have a name.

    Paris would never be able to find us!

  29. night troll
    Pirate

    @ Gareth Jones

    Because then the banks would be liable for the refund on the fraud not the retailer. All the security systems introduced over the 10 years or so have been geared to reducing the banks exposure to fraud and shifting the cost to the customer / retailer. i.e. chip and pin, no signature to check therefore not counted as a cheque transaction so the customer MUST have given his pin number to someone.

  30. mr.K
    Heart

    @Credit card companies to blame again

    I love that system. It is the single most idiotic security system I have ever witnessed. If somebody hacks one of these webshops, they can create a few bogus pages that look identical to the iDEAL page. Users then provide their account number, personal code and one time key. The bogus site then tells the user that it didn't go through due to technical issues and that the user should try again in a few minutes.

    When the orginal problem was the possibility of some credit card frauds with false purchases, they now have provided hackers with the means to gain full access to people bank accounts.

    Love it, just love it.

  31. Steve Roper

    Re: I suppose this is what you get with ALPHA postcodes!

    "Sorry that the UK, Canada, Oz, NZ stuck with letters and numbers for post codes. They should have known better."

    You might want to do a little research before talking about foreign postcodes mate. While I don't know about Canadian and NZ postcodes, Australian postcodes are all four-digit numeric; the first digit denotes the state, the next 3 digits denote the area, with 000 being the capital city centre.

    E.g. 2000 is Sydney, New South Wales, 3000 is Melbourne, Victoria, 5000 is Adelaide, South Australia and so on. A suburb of Adelaide (Para Hills) thus has the postcode 5096, while a remote South Australian country town (Hawker) has the postcode 5434. All in all, probably the simplest and easiest to understand postcode system of any that I've encountered!

  32. Rob
    Stop

    IMHO, Ferry Boat is the only one who has grasped the point.

    It's about collisions. I've had a look at the company in questions website. They claim to have detected roughly 60,000 fraudulent CNP transactions a month in both May and April.

    The article says that based on a sample of 50 cases, over a month or so, where there was an AVS collision, they have concluded that crims around the world have collaborated to build a super-dooper AVS subverting database.

    What's more likely? A global fraud-facilitating DB or that 50 collisions out of 60,000 were the result of random chance?

    And if that's the acme of their scientific rigour, why would any sensible company trust them to do anything more challenging than wiping their own arse?

  33. Tim Hogard

    System designed for different addresses

    AVS was designed to take advantage of the 9 digit zip codes used in the US which pinpoint down to about a block in most cases combined with the larger 5 digit house numbers that are also often used. That would have meant that a typical house will only share its AVS code with 1 or 2 others in most cases. The problem is people don't seem to remember their 9 digit zip code and tend to remember just the 1st 5 so the zip+4 was dropped. Aussie banks (except Citibank) are going with the excuse that AVS violates privacy so they refused to even do these trivial checks.

  34. Ross

    One simple problem

    The problem with card security is extremely simple. In order to make a payment you need to give all of the relevant details to the payee. Those details can then be reused, usually by yourself, but possibly by somebody else.

    If you gave a symmetric encryption key to someone you'd consider it compromised and would get a new one, but we give our card details out all the time. It's ridiculous.

    The OTP system is the *only* secure method of making a payment with your card as it includes an element that cannot be replayed or (presuming it has been implemented correctly) guessed. Until we get such a system in the UK you can consider all of your card details compromised and at risk of abuse.

This topic is closed for new posts.

Other stories you might like