Hi all,

Our web site approved a larger than normal order today, so I scrutinized it a bit more. Our AVS settings in Auth Net requires the correct street address be submitted for U.S. orders. The street address submitted was "# HGHGHGHG" in Mecosta Mi! The card-issuing bank (if there is one) is apparently U.S. based. The IP is, of course, Nigerian.

Our system authorizes only, we perform charges manually.

Have criminals found ways to generate credit card numbers that are accepted by credit processing systems?

Could a US bank be cooperating with criminals in the generation of credit cards accounts?

Why would a criminal bother having a card account created and use a street address (# HGHGHGHG) that they know we would not sent to?

Is the criminal testing his or our system somehow?

However, the credit card used was surely stolen, otherwise what account would the funds be drawn from if we approved the transaction? But again, if stolen, why the nonsensical street address?

Soooo, anyone ever have their AVS approve a card that is clearly bad or stolen, even under conditions dissimilar to those above?

Thanks for any and all responses
Confused in Colorado
-Mark

Was the street number HGHGHG or was that the street name? If it was the street name, did they get the street number right? Visa only checks the street number and zip code, from what they told me. They don't check the customer name, street name, city or state.

Did you call the issuing bank for address and name verification? Of course, you know if it's a fraud if the IP is Nigerian and the other red flags tipped you off, but if the card number matches the zip and street number it would have gone through.

There was a big story on Dateline about this Nigerian thing, people are still falling for this scam. These crooks use the Nigerian internet cafes, they sucker Americans into paying for and accepting shipments for them, then the person ships it off to their "girlfriend" or whoever in Nigeria. They pretend to be hot chicks in love with these guys, or men pretending they want to meet these lonely women promising to come to America to visit them and/or marry them, if only they could make enough money....

Sounds like maybe this person was testing the credit card out so you wouldn't know what the street address was not knowing that you could report it with just the credit card number. I would report it to the issuing bank and help out the poor sap who either had their card stolen or has fallen prey to one of these animals.

Thanks BamaCat.

"# hghghghgh" was the street address in totality, no numbers, no recognizable words like "street" or anything. My understanding is that AVS is a system subscribed to by the major card companies, and that only the first 5 characters of the street or zip are varified - something like that. Anyway that darn order was approved with ...hghg... submitted as the street address.

We have been catching and deleting fraudulent attempts (Nigerian, mostly) for many years.

I couldn't believe it, but this morning I check our AVS settings and until now we were not requiring a correct ZIP! Well, we changed that.

Good idea; I will contact Visa on this card number. Could save someone some hirt.

The customer's name is kGGFG JJGHH. Sounds pretty sexy. Maybe I'll let this order go through after all.

Later
-Mark

AVS only validates the numeric portion of the street address... if you had "123 Anywhere Street", the AVS check makes sure 123 matches, but will NOT check Anywhere Street. Since no numbers were in the street address, there wasn't anything to match; you would expect, in this case, the transaction to decline because of an AVS mismatch.

However, two options here... if the REAL customer also had no numeric street address (i.e. their address was 'Balsam St & Spruce St'), the AVS WOULD match, as both numbers (or lack thereof) match... otherwise, that specific bank may return a 'match' result when no numeric street address is given (which the bank shouldn't do, but could).

Hope that makes sense...

Can't you also block IP addresses from Nigeria or other countries you don't want to deal with? USAePay lets you do that, although now that I logged in to make sure of that, it says this:

Fraud Settings >> IP Country Blocker
Blocks or allows transactions based on what country they originate in. The location of the customer is based on their IP address which is checked against our GeoIP database. To use this module your shopping cart must pass the ip address to the gateway.

I'm guessing since USAePay is the preferred gateway for MC, that our shopping cart does pass the ip address to the gateway?

I personally have processed many, many thousands of orders over the last several years. Every now and then something comes up leaving me scratching my head.

I too had thought that AVS looked only at the numeric component of the street address, not just the first 5 characters. Well, take it all with a grain of salt.

This approved (though obviously bad) order did cause me to look once again at our credit approval settings. After studying the issue a bit and speaking with Authorize.Net, I am now certain our system requires valid inputs for street address, ZIP code and cvv (for U.S. orders.) We still vet non-U.S. orders on a case by case basis.

Also on the bright side are occassional orders such as one that greeted me today for a bit over $1k. Since our average ticket is only about $45, a larger order is nice to see every now and then.

Thanks for your insights, guys.
-Mark

cool logo, btw!