Azara Blog: Standard online UK address checking software is fatally flawed

Blog home page | Blog archive

Google   Bookmark and Share

Date published: 2008/06/11

The BBC says:

Loopholes in the way addresses are checked by online stores are helping fraudsters cash in, say experts.

The flaw means goods bought with stolen credit cards do not trigger security systems that check addresses.

Security firm The Third Man said it stumbled over fraudsters committing the crime while overseeing transactions on a retail website.

But the UK's payments association said it had seen no evidence that the novel crime was being carried out.
The scam exploits the mechanics of the Address Verification System (AVS) that many retail sites use to check the address of those using a credit card at an online store.

When carrying out address checks AVS compares the house number of a customer plus the digits in their post code to those input during a transaction.

For instance, if the Prime Minister bought goods at an online store with a credit card, AVS would use numbers in the address - 10 Downing St, SW1A 2AA - to help verify his identity.

In this case AVS would use 1012 as a shorthand ID check.

By finding an alternative address that has the same house number and digits in a very different post code, fraudsters could convince AVS the address was genuine even though it was completely different.

It's unbelievable how such sloppy software was ever allowed to be used. If you assume that a typical UK address has a number from 1 to 100 and that the two numbers in the postcode are fairly random distributed, then there are only around 10000 numbers in total that the system uses. A fraudster who has access to 10k credit card details is very likely to be able to find a match for just about any address they care to use. This is not a big number. (And quite possibly they have access to many addresses.)

You can perhaps understand why AVS might not want to use the entire postcode, since new postcodes come into being all the time, and not all databases are updated in sync. But you would have thought they would at least have used the postcode sector (so in the BBC example this would be SW1A 2). There are around 10k postcode sectors, and so now the fraudster would need to have around 10k credit card details just to have a 1% chance for a match to any other specific address. Well, even that is a bit too big for comfort, so far better would be for an exact full postcode check and if it didn't match then a manual check (by a human) of the full address (using an address database) would seem like the reasonable approach. Presumably the decision not to use even postcode sectors is because once in a great while new ones of these are introduced as well (whereas they will never introduce new numbers between 00 and 99). But this is truly pathetic, given the arithmetic.

All material not included from other sources is copyright For further information or questions email: info [at] cambridge2000 [dot] com (replace "[at]" with "@" and "[dot]" with ".").