Fraudsters test AVS system
June 11th, 2008 by admin Posted in Credit Card Fraud, PCI DSSDavid Gamey pointed me to the Register article on yet another scam fraudsters are using to defeat credit card fraud checks. We have discussed this topic before with pay-at-the-pump, but this new attack really goes to the heart of a fraud check that is called the Address Verification System or AVS.
Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street).
However fraudsters have begun exploiting the fact that many addresses can have the same AVS code. By making sure billing addresses and delivery addresses used in scams have the same code they make it more likely that purchases will go through.
This is, at best, a weak attack because it cannot be monetized quickly over a large number of card numbers. In order to perpetrate the attack the attacker would need to have your name, address, and credit card number. This information is usually obtained from e-commerce compromises, though could originate from other sources. The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street). This could work for one account number. If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming.
Also, let’s not forget that AVS is not used globally. For example it is used in the UK, USA and some other regions, but not in continental-Europe and most of the Asia-Pacific region. This diminishes the potential for attack. Also, different Issuers may check different information via AVS which means you would need to know what information each Issuer checks, happen upon a card number from that Issuer, that is associated with an address similar to a fraudulent drop site you already have. These stars do not align so nicely quite as often as one might think.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
3 Responses to “Fraudsters test AVS system”
By Uncle Bob.. on Aug 5, 2008
This is why the use of COB (Change of Billing) attacks are hardly being used these days. Its a crap shoot with UPS, FEDEX and other delivery companies not even delivering to a house without first requiring identification of the person picking up the package. If the package is returned to the delivery company, most of the majors now require identification of the person picking up, and the id must match the address on the package. They even tell people that are in higher fraud areas that they must also have a utility bill coupled with an ID to pick up the package, which means fewer than normal carders wishing to challenge or attack a system as this which is in place.
The only safe way is to actually spend money on renting a house and then having many things delivered there under one name or two and then abandon it after a few items are delivered. In carder speak, too many buttons to push for an average carder to press, thus COB’s are now dead on arrival. Meaning no one in their right mind would use them.
The attack you describe is not used, its usually used by using the extra address field on most shopping carts. Meaning you use the correct card holder billing, and then fudge the last few letters making the street unrecognizable, then you add the new address on the secondary field - which FEDEX and UPS have been known to use if they cannot deliver to the original address. But even this method is old hat.
By goawayalreadytroll on Sep 23, 2008
“uncle bob” is a thief (in real life: David R Thomas) who is scamming people online. He was an FBI informant before they kicked him to the curb for being a useless troll, not to mention the outright fabrications he would foist on his agent handlers.
By Tony on Feb 7, 2009
Great informative site, keep up the posting.