Choke Point: Preventing Credit Card Fraud

In the struggle to prevent fraudsters from turning stolen credit cards into cash online, retailers are the country's last, best defense

Whether or not the customer understands it, the majority of online transactions include two basic antifraud measures. The first confirms the billing address; the second tries to verify the physical presence of the credit card.

The billing address is used for the address verification service (AVS), which allows a merchant to find out whether the billing address provided by the customer matches the one in the bank's records. Although the method isn't perfect, 75 percent of online retailers use it, making it the most widely used tool, according to the CyberSource study.

For physical confirmation, retailers often ask for the card verification number (CVN, sometimes called CID or CVV). This is a three- or four-digit code that's printed on the credit card but not included in any correspondence or on the card's magnetic stripe. By the end of 2006, CyberSource projects that this method will be nearly as prevalent as address verification.

Tracy Brown, cochairwoman of the Merchant Risk Council, a trade group founded to help retailers control fraud, says that CVN was an attempt to move online credit card transactions from single-factor to dual-factor authentication. "The concept was that maybe you got my credit card number from a database, or you stole my billing statement, but the CID or CVV weren't stored in those places," says Brown, who is director of information security for American Eagle Outfitters. That meant that online credit card transactions required not just something the customer knew (the credit card number) but also something she had (the actual credit card).

The problem, Brown says, is that this method isn't really dual-factor authentication. "Just because you have two [types of information] doesn't make it dual-factor. It's the same method: It's information that you type into a system that's stored in a database somewhere. Any kind of single-factor authentication is going to have a shelf life before it's compromised."

That's just what has happened. In fact, if ever there were an example of how a 10-foot fence just inspires criminals to build an 11-foot ladder, this is it. Crooks are adopting CVN as quickly as merchants. CardCops' Clements says that now when he sees thieves advertising stolen credit cards with "full information," it means the information includes not only the cardholder name, billing address, credit card number and expiration date, but also the CVN.

How do the fraudsters get the information? Some phishing schemes ask for it. Also, despite rules that prohibit merchants from storing the number, some have, making security breaches all the more damaging. Experts also fear that fraudsters are figuring out CVNs by brute force or, worse, reverse engineering them.