From the BBC:
Loopholes in the way addresses are checked by online stores are helping fraudsters cash in, say experts.
The flaw means goods bought with stolen credit cards do not trigger security systems that check addresses.
Security firm The Third Man said it stumbled over fraudsters committing the crime while overseeing transactions on a retail website.
But the UK’s payments association said it had seen no evidence that the novel crime was being carried out.
“It’s pure chance that we picked this up,” said Andrew Goodwill, director of anti-fraud firm The Third Man.
The scam exploits the mechanics of the Address Verification System (AVS) that many retail sites use to check the address of those using a credit card at an online store.
It is really funny how often organizations refuse to accept that an attack has happened/is happening. I was onsite in the US conducting an assessment for a company quite a few years ago and I pointed out that their system had been breached. The executive looked me square in the eye and said, “no it hasn’t”. If he was trying to intimidate me he missed the mark. If he was refusing to accept the reality that is another problem entirely.
