Skip to main content

Fraudsters crack card AVS technology

It seems that fraudsters have cracked the address verification system (AVS) used with payment cards in the UK and are using an innovative way of beating the system.

The fraud has been picked up by The Third Man, a security specialist, which says that AVS uses the number of the property plus the numbers in the post code as the primary checksum.

So, for example, if you lived at 10 Downing Street in London, SQ1A 2AA, your AVS would be 1012 - i.e. the number of the property plus the 1 and the 2 in the post code.

What fraudsters have realised that, if you find a property with the same number but located in a different area of the UK and with the same numbers in its post code, then the AVS checksum is the same.

For example, here in Sheffield, if a fraudster were to use 10 Queen Street, S1 2DW as the address, then the AVS checksum would also be 1012.

You get the picture.

As you might expect, APACS has gone into PR overdrive following publication of this rather large loophole in the AVS system and says that merchants should never be relay on AVS on its own as a means of verifying the address of the card holder.

Funny - that contradicts what the banks were saying a few years ago.

Surely APACS isn't back-peddling on its previous advice?