Monday, June 23, 2008

Fraudsters pool data to beat plastic fraud checks

How to fool address verification system (AVS) in Credit Cards purchases?

Credit Card fruadsters have come up with another
cool idea to trick the AVS in credit card purchases. Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street). I qoute from the article:

However fraudsters have begun exploiting the fact that many addresses can have the same AVS code. By making sure billing addresses and delivery addresses used in scams have the same code they make it more likely that purchases will go through.

In order to perform fraudulent transactions all fraudsters would need to have is your name, address and credit card number. This information is usually obtained through e-commerce database compromises, phishing scams, key-loggers and hacking into co-operates databases. The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street). This could work for one account number. If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming.

No comments: