Fraudsters have hijacked a system designed to help protect retailers and consumers from credit card fraud, according to fraud protection specialists the 3rd Man.

The company claims that a serious flaw in the Address Verification System (AVS) used by retailers to check the identity and billing address of a card holder allows fraudsters to fake verification.

AVS is often used by internet retailers to check that the billing address the credit card holder gives matches the address on file at the credit card company.

It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.

But a 3rd Man investigator discovered that criminals are getting around this check to make fraudulent transactions look genuine.

Andrew Goodwill, director and fraud expert at the 3rd Man, said that fraudsters are compromising and using card details where the genuine cardholder’s address numerals exactly match the address they want delivery to.

“So, not only are they obtaining goods fraudulently, they have them delivered to their chosen address,” he said.

He told Computeractive that the company was initially seeing upwards of 50 fraudulent transactions in a day by criminals who had cottoned on to this loophole. However, Mr Goodwill warned that the the volume of these fraudulent transactions was bound to rise.

“This is serious. It is likely we will soon see this as the biggest problem during the last 20 years regarding card fraud. Fraudsters are starting to exploit the loophole in significant volume. Retailers relying on AVS, or where a retailer will only deliver to the billing address, are facing a potentially huge risk,” he said.

Mr Goodwill also told us that the fraudsters can also compromise the bank’s fraud prevention technologies, Verified by Visa or Mastercard Securecode.

“Criminals are also checking to see if the cardholder has registered their card with either of these security methods. If they haven’t then the fraudster registers the card details using a password of their choice, making it even harder for the retailer to know the card is being used fraudulently.

APACS, the payment industry body said it didn’t dispute the 3rd Man’s findings or that it was possible but said neither it nor the police had evidence that this fraud was happening.

“It is a rather complex way of getting a delivery address and we wonder if criminals would go to those lengths; they prefer easier ways of committing fraud.

"We have had discussions with the 3rd Man and police about criminals using this way of committing fraud. But retailers should never rely on one method of verification,” an Apacs representative said.