UK fraud protection specialists The 3rd Man says criminals are exploiting a loophole in a payment verification system used by e-retailers in order to steal goods.
The 3rd Man says it spotted a flaw with the address verification system (AVS), which is used by credit card companies and banks to verify the identity of cardholders, when monitoring transactions for a retailer.
AVS - popular with e-commerce outfits - checks the billing address of the credit card with the one on file, matching the house number and postcode for each card issued.
But the 3rd Man says crooks are now finding alternative addresses that have the same house number and digits in a different post code, tricking AVS into thinking it is the same place.
By using compromised cards and address details fraudsters can virtually guarantee that the retailer has no realistic way of verifying the information, says The 3rd Man, so goods are shipped straight to the criminal's door.
The vendor says fraudsters can take advantage of this crack in security to safely use card details stolen in database hacks like the recent attack on UK retailer Cotton Traders.
"This is a serious problem, one that fraudsters have not only cottoned onto but are exploiting in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk," says Andrew Goodwill, director, the 3rd Man.
Figures from payments association Apacs show that card-not-present fraud (CNP) rose by 37% to £290.5 million during 2007 and now accounts for more than half of all industry losses from card fraud. However, Apacs argues that CNP losses have to be seen in context of the huge rise in the number of people shopping online and over the phone. Apacs says CNP fraud losses rose by 122% between 2001 and 2006, but over the same period the total value of online shopping transactions increased by 358% - from £6.6 billion in 2001 to £30.2 billion in 2006.