A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
If there’s a way to exploit a hole in the online ordering system, criminals will find it. The latest: Using the second address line for a shipping address as a way to avoid the flags that different bill-to and ship-to addresses generate.
If there`s a way to exploit a hole in the online ordering system, criminals will find it. The latest: Using the second address line for a shipping address as a way to avoid the flags that different bill-to and ship-to addresses generate.
Payments processor ClearCommerce says it has seen the fraud sporadically over the past few months, but that five large merchants reported it in one week last month. "It is now above the noise level and is what we consider an emerging scheme," says Julie Fergerson, co-founder and vice president of emerging technologies at ClearCommerce.
With this scam, criminals are taking advantage of the fact that MasterCard and Visa`s Address Verification System checks only the numeric portion of a billing address and the ZIP code. Transactions receive a pass if both match the card companies` records, a partial OK if either element matches and a failure if neither matches.
Criminals obtain valid credit card numbers and the correct billing addresses on the accounts. When they use the accounts to order something online, they enter the correct address on the first line with some gibberish afterward, then enter the shipping address on the second line. A transaction going through the AVS system will obtain partial approval if the system notices that the number in the address is correct, regardless of what follows it, even if the ZIP Code doesn`t match, ClearCommerce says.
When the package enters the delivery stream, though, automated scanners can recognize the first address line is not a valid address and so will drop to the second address line, where they will recognize a valid address and route the package for delivery accordingly.
While criminals could use the correct address in the bill-to form and their own address--or a drop box address--in the ship-to form, many retailers scrutinize orders more closely when they contain separate bill-to and ship-to addresses. Criminals thus gain an advantage in bypassing those filters by using only the one form for both bill-to and ship-to addresses. "Fraudsters like to do the same shipping and billing address as much as possible; it creates less suspicion if the ship-to address is the same as the bill-to address," says Steve Waldschmidt, senior risk management analyst for ClearCommerce.
Waldschmidt says retailers can fight back by reviewing partial passes in which the numeric part of the address is correct but the ZIP Code is incorrect. That will almost always be the case with stolen account information. ClearCommerce reports that 25% of orders receive a partial match approval. 1.7% pass the street number and fail the ZIP portion. That`s the portion that retailers should focus on, ClearCommerce says.
A visual inspection of packages can flag when the material after the number in an address is gibberish, Waldschmidt notes.
Retailers can get an idea if this is a problem by comparing partial-match approvals today to historic rates. ClearCommerce also urges retailers to use other fraud triggers and don`t rely on AVS alone.