56

In the U.S., many credit card machines at places like gas stations have started asking for your ZIP (postal) code to use a credit card ostensibly to help verify that you really are the cardholder, rather than the card being stolen. My question is simply: Is there any evidence that this actually leads to a significant reduction in successful credit card fraud?

It seems to me like this would not be a very useful measure for a machine that requires the card to be present anyway. I would have guessed that the most common way someone would physically end up with your credit card would be if they stole your wallet, in which case they almost certainly have at least one and likely several IDs that include your ZIP code. For example, in my wallet, at the very least, my driver's license, car insurance card, business card, and pilot certificate all have my zip code listed and it would also be trivial to figure out from my voter registration card. Thus, I'm curious if any actual security benefit has been shown for this or not.

reirab
  • 2,683
  • 1
  • 13
  • 21
  • 27
    if a malicious person knows your pin chances are they know your zip code. To me it sounds like more of a marketing ploy from the owners of the cash machine, they want to know how often and how much certain zip codes with drawn form cash machines so they can either sell that data or use if for them self's to target geographical locations. – octo-carrot Nov 04 '15 at 15:49
  • 7
    @TweetingGary Credit cards in the U.S. don't use PINs (or, at least, very rarely do.) Also, I was talking about using credit cards to make a purchase, not to withdraw funds (for which you'd normally use a debit card.) Having said that, I do agree on suspecting that it's more for collecting marketing data than for actual security. Before it became common for 'security' purposes, some retailers asked explicitly for marketing data purposes. – reirab Nov 04 '15 at 16:09
  • 4
    @rirab are you serious? thats crazy, but yeah again as you've said i doubt zipcode would be of any use as you have several forms of ID in your wallet with your zip code on it. your better of getting a pin code or something that you dont have written down somewhere – octo-carrot Nov 04 '15 at 16:13
  • 17
    What I can say about this is that it's a real pain for tourists. – IEatBagels Nov 04 '15 at 19:24
  • 23
    The worst part of this for me is the horrific UI with scrolling text that says "PLEASE EN..."" wait a while "...TER YOUR..." wait more "... 5 DIGIT..." ugh "...ZIP CODE". How about "ZIP CODE PLEASE" so I can start typing right away. – Digital Chris Nov 04 '15 at 19:55
  • @TopinFrassi Just curious, what does a tourist do in a situation like this? I'm assuming in this case the tourist is from another country and doesn't have a zip code or has a post code that isn't all numbers... – Michael Nov 04 '15 at 20:50
  • 2
    Depending on your contract, credit card companies may reduce the service charge a merchant pays depending on the validation. So zip and signature is cheaper than just signature which is cheaper than neither. Details vary by company and contract. I'm betting that the card providers have hard data tho I don't have it. – Neil Smithline Nov 04 '15 at 21:06
  • 1
    @Michael There's a hack between Canada and USA, which implies, IIRC, to pad the left with zeroes and enter the 3 digit of the canadian zip code. But it didn't always work. We could pay inside to the cashier otherwise! (But at night, well... you're out of luck) – IEatBagels Nov 04 '15 at 21:28
  • 1
    @TopinFrassi: if I remember correctly, you pad to the right, not to the left. – Martin Argerami Nov 05 '15 at 09:52
  • 3
    Regarding tourists, I would try entering the ZIP 00000 on the chance that the authorization server either returns that, NULL, or an empty string for non-US addresses. An empty string or NULL might compare equally to 00000 in a dynamically-typed language. – dotancohen Nov 05 '15 at 12:35
  • 2
    @TweetingGary I don't think they use that data to sell it - If you pay with you creditcar, they know that you were/your card was there. And they have allready more data then the zipcode...every other point you said i totally agree. – Top Questions Nov 05 '15 at 13:23
  • Interesting measure - I have not seen it anywhere else in the world (it must be newer than 2008, as I was not asked to do that anywhere in the US either prior to that year) – WoJ Nov 05 '15 at 13:59
  • @WoJ It seems to have become much more common than it used to be in the U.S. within the last couple of years, maybe even less. I see it mostly at automated kiosks like gas pumps. In many other countries, chip and PIN cards are common, in which case this isn't really necessary, as the PIN does a better job. Even chip cards in the U.S. typically don't use PINs, though (they're chip and signature instead of chip and PIN.) – reirab Nov 05 '15 at 15:19
  • @TweetingGary, almost all debit cards in the U.S. can be used as "credit." If you pickpocket someone and take off with their card, you can only guess a few times. In larger areas where there are dozens of zip codes, you might get lucky by using the nearest 3 zip codes, but it will be recorded on video. – Mark Buffalo Nov 05 '15 at 17:00
  • You could claim it has increased fraud, as anything that makes people feel safe using none “Chip and Pin” cards increases fraud. – Ian Ringrose Nov 05 '15 at 22:38
  • There are around 30 zip codes between where I work and live, so even if someone found my credit card on the sidewalk, they'd have to make several attempts before guessing the zip code. I once had my card locked out for fraud after I entered the wrong zip code several times in a row -- I had just moved and tried my old zip code a couple times, before guessing at my new zip code (unsuccessfully). My CC bank fraud department called me 10 minutes later to ask about suspicious activity. – Johnny Nov 06 '15 at 00:46
  • @gerrit Or because credit cards were much more common place in the U.S. than in most of the rest of the world prior to the existence of chip and PIN cards and, thus, Americans were already very accustomed to signature cards? Either way, this is rather off topic... – reirab Nov 06 '15 at 15:05
  • I would imagine that wallet theft is not a significant source of continuous fraud since the victim is likely to notice then deactivate the card in a relatively short time, that's the bigger protection there. There'd be a few fraudulent transactions but not really an ongoing thing. Now if somebody drops their card out of their wallet, that's a different story. – Jason C Nov 07 '15 at 20:19

6 Answers6

69

Is there any evidence that this actually leads to a significant reduction in successful credit card fraud?

Yes there is evidence, and Yes, it absolutely has resulted in reducing many types of card fraud:

The fraud prevention feature you are referring to is called Address Verification Service (AVS). AVS service checks that the street number and/or the zip code presented at the terminal match the data present for the card holder at the issuing bank.

In real-time, the payment processor will return an AVS Response. Based on the response, the merchant can decide to reject a non-conforming transaction.

It has been adopted by nearly every card issuer in the US.

enter image description here

See Merchant Guide to the Visa Address Verification Service

The possible response codes, and the configurable reject settings are shown here:

enter image description here

In a gas station terminal setting, the terminal might be set to reject AVS Response codes N and A, for example.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Rodrigo Murillo
  • 1,927
  • 11
  • 17
  • 25
    From reading through that document, it looks like those statistics were collected primarily from card-not-present transactions (i.e. online, over the phone, etc.,) nevertheless they are very interesting. It's particularly surprising that the no match rate was so high for cards stolen from the mail, since those have the billing address printed on the envelope. – reirab Nov 05 '15 at 02:34
  • 56
    How could **Card Stolen From Mail** fraud be reduced 90% due to lack of knowing the recipient's zip code?!? – dotancohen Nov 05 '15 at 08:38
  • 12
    Presumably the card details for cards stolen from the mail are sold in bulk (without the adress data) to a 3rd party. – Fractional Nov 05 '15 at 10:29
  • 12
    @dotancohen My guess would be the statistics are from the time when the mechanism was new and yet unknown to fraudsters. If that theory is correct, it seems 90% of thieves discarded the letter and only 65% discarded the wallet. Another thing if that theory is correct, by now there is no more protection in either of these 2 cases because the thieves became aware of it. – Peter Nov 05 '15 at 11:36
  • 26
    All this "security" feature has ever done for me, as a tourist in the US, is prevent me from using my credit cards at the pump. I don't want to have to deal with people when I fuel. Whose inane idea was it to require ZIP codes from non-American credit cards? – Alex Nov 05 '15 at 13:59
  • 4
    @Alex Well, for a U.S. gas station, the vast majority of their customers will be American, so they're probably willing to make the handful of international customers they get come inside to save a substantial amount on CC processing fees. I'd guess that most U.S. gas stations have no more than 1% non-U.S.-resident customers and it's likely quite a bit less than that in areas that aren't near a border or an international airport. – reirab Nov 05 '15 at 16:27
  • 4
    @Alex I believe you can enter 00000 as your zip and it will process. – Kyle W Nov 05 '15 at 17:40
  • 1
    A better question, and a better point to address in the answer, is whether the benefit attained from this _outweighs_ the inconvenience caused. Particularly given that AVS can detect counterfeit cards 100% of the time _without_ needing to check on a user-supplied zip-code (it gets 100% simply because a counterfeit card number won't exist in the AVS database _in the first place_). Probably counterfeit cards whose info happens to coincide with actual cards get counted as "stolen" for the purposes of their stats. – aroth Nov 06 '15 at 04:21
  • General AVS responses: "*Ermahgerd, bergus transaction*". – MadHatter Nov 06 '15 at 13:04
  • @aroth I assumed by "counterfeit cards" they mean cards that have been 'cloned' with the data from legitimate cards, as discussed in [Steve's answer](http://security.stackexchange.com/a/104605/46674). – reirab Nov 06 '15 at 15:12
  • 1
    @aroth - A "counterfeit credit card" with a CC number that hasn't been issued to anyone will automatically fail without AVS. A blank CC is probably fairly cheap, but a criminal won't make tens of thousands of CCs with randomly generated numbers in the hopes that they will find a valid CC number. Also, the cardholders name is encoded on the CC magnetic stripe, so for a "counterfeit" to stand any chance of "working", it has to at least have an issued CC number and a matching cardholder name. I'm sure that by "counterfeit credit card" they mean a "cloned" card, like from skimming / database hack. – Kevin Fegan Nov 06 '15 at 22:34
  • @dotancohen Cards stolen from mail: Presumably in bulk, as all cards I know of when sent from bank to consumer are unusable until you use it in an ATM and enter your PIN, so a thief would have to know the PIN, so logically this rules out bank -> consumer mail theft. – Jason C Nov 07 '15 at 20:17
  • @Alex If you hate interacting with people at gas stations, you would hate New Jersey (not legal to pump your own gas). Although it's not exactly a tourist destination spot anyways. – Jason C Nov 07 '15 at 20:22
  • 1
    @JasonC In the U.S., most credit cards don't require you to activate them in an ATM and most credit cards here don't even have a PIN. For most of them, you just call a number listed on a sticker on the card to activate, though they do verify that you're calling from the number on the account or else ask you some questions to verify. – reirab Nov 07 '15 at 21:41
  • Worth noting that payment processors generally offer considerably lower fees to merchants using AVS than to merchants that don't. Which indicates 1) that *they* believe it reduces fraud, and 2) that the gas stations will use it anyway, because they'll do anything to improve their slim margins. – hobbs Nov 08 '15 at 19:21
21

You bring up a good point that's often overlooked in Security. Data.

"In God we Trust, all others must bring data". -W Edwards Demming

I think it's unlikely you're going to find actual data for the effectiveness of a security policy. I don't know of a lot of actual scientific analysis in the security industry, and that's a terrible shame. So people are left to speculate, and speculate they will.

Like gowenfawr, I don't have any data either, and can only offer speculation.

You're right that the "stolen wallet attack" won't offer any protection from fraud. But a lot of credit cards these days are stolen from insecure automated processing systems. Target and Home Depot are examples of this. Attackers are taking the information from these systems and cloning cards. I don't believe these systems generally contain the zip code of the cardholder, and it's not encoded on the card itself.

The point being, asking for a zip code at a gas station will make cloning attempts harder to perform. I'd speculate that this will reduce fraud by some amount.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 2
    Ah, thanks. I hadn't considered card cloning. I had assumed that people who stole credit card numbers from attacks like the Target attack just used the card numbers online rather than making clone cards and trying to use them in person. +1 – reirab Nov 04 '15 at 17:36
  • @reirab using the cards on-line generally leaves a traceable trail (i.e. a destination address, computer IP addresses, etc.), whereas there are plenty of places one can use a card in-person without giving any ID (and wear a hat/etc. to avoid cameras.. point is it's harder to track, not impossible) – user2813274 Nov 04 '15 at 23:11
  • A few years ago I read an article about a card cloner. He lived off of cloning cards. Buy an expensive laptop at Best Buy with his cloned card, then selling it for cheap on craigslist from a rented hotel room. Very hard to catch someone like that. – Steve Sether Nov 04 '15 at 23:20
  • @user2813274 For cybercriminals capable of pulling off an attack like the one on Target, obscuring their IP address is trivial. The physical destination address is indeed more difficult to get around, but there are ways to minimize risk, such as setting the destination address to some innocent third party and then grabbing it from their mail box or porch after delivery. Even if the fraud is discovered before delivery, odds of the police taking the time to stake out that house are pretty low and you could likely spot them and just keep driving even if they did that. – reirab Nov 05 '15 at 02:26
  • 1
    @reirab it's not that it's impossible, it's that it's an extra step - and not only does it add a delay of a few days in which the fraud can be detected, it also raises suspicions (i.e. if one is shopping from a TOR exit node), if one's billing/shipping address don't match (actually, would you even have a billing address without the zip code? unlikely) - lots of red flags there – user2813274 Nov 05 '15 at 02:39
  • @reirab Many kinds of money laundering scams involve using third parties (homeless, illegals). No need to show up in person. – Peter Nov 05 '15 at 11:42
  • Yes, you don't get the zip code if you steal the card number for cloning from Target's POS. However if you steal it from the gas station's insecure processing network, then you have the zip code that the customers have entered along with their card number. – user46053 Nov 06 '15 at 01:11
7

It's for deterrence, and some things that are used for deterrence are really for the customer to feel safe and secure and do very little for "security." Take surveillance cameras. I probably install about 200+ cameras a year, and as I do everything possible to make the cameras protect the site as best as I can, there are ways around that. They are for deterrence. People see cameras and go "Oh they have cameras, I can't rob this place." Not saying cameras are useless, I've help store owners capture probably about 50 employees/customers stealing over the years.

So, let's start with this example. I've stolen your wallet, now whether you realized this happen 5 minutes ago or 5 hours ago you are going to call your banks/credit card and cancel your cards. As the thief I have to use your cards quickly as I know your going to cancel your cards. I'd be more worried about identity theft from a stolen wallet instead of my cards being used.

You are right, if I have your wallet I know your zip code. Maybe I can't use your business card, but I can still get away with something for free. I'll go buy pre-paid cards to use and trash your wallet maybe keeping your ID cards.

Let's say instead of stealing your wallet, I hack a POS network and get card information from there. I don't have your zip code, but I could still make a duplicate copy of your card if I got enough information from the hacking I did at the POS network. You wouldn't know your card information had been compromised until the company releases that they've been hacked. Still I could still use that card data to buy stuff, but not at a "pay at the pump" type setting.

You are asked for the ZIP code at locations where you aren't "interacting" with a person. It's a prevention method to keep thieves with your CC info from stealing gas. However they could go inside with a "copied" card and buy gas inside.

Simply, if you are paying with a card 'face to face' with someone, they don't need any extra information from you besides what's on the card. They may ask for Photo-ID to confirm you are the card holder.

If you are at kiosk paying station (gas pump, store kiosk) and the system asks you for the zip code of the billing address of the card, it's to check for fraud.

That zip code check, is verified by the card-holder's bank and is not used in any way other than to verify the information is correct.

In a 'face to face' any extra information they ask, is most likely for marketing purposes and they cannot deny your transaction by you failing to give that extra information out.

California Beverly Credit Card Act of 1971 deals with that, and amendments have been made to it over the years.

Does it cut down on fraud, maybe. However, I could still go inside with "your" card and buy gas there. Granted, there's more chance of failure going inside. Cameras, cashier asking for ID, card being reported stolen.

By trying to use the card outside with no employees around, I'm going to get two responses from the gas pump:

  1. Accepted
  2. Your card was declined, see attendant.

If I got option #2, I would just leave and try another zip code at another gas station.

N. Greene
  • 341
  • 2
  • 6
5

Is there any evidence that this actually leads to a significant reduction in successful credit card fraud?

You would have to ask one of the gas companies, or one of the fraud providers (like Accertify? ThreatMetrix?) who might have statistics ("evidence").

It seems to me like this would not be a very useful measure for a machine that requires the card to be present anyway.... [thieves] almost certainly have at least one and likely several IDs that include your ZIP code.... Thus, I'm curious if any actual security benefit has been shown for this or not.

I don't have evidence, but I offer you speculation:

  1. Of all anti-fraud information tidbits, the zip code is the only one that can be conveniently entered on a numeric-only gas pump keyboard.
  2. Requiring a zip as anti-fraud serves as notification to the user that this transaction is being scrutinized, which may have both a reassuring effect on valid users and a deterrent impact on fraudulent users.
  3. Doing something ends up being better than doing nothing in this case.

There are other fraud steps - location, frequency, and habit analysis - which are probably more effective against the "stolen wallet" use case. But those happen behind the scenes, with no reassurance or deterrence.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Re 1: What prevents the card's PIN from being conveniently entered on a numeric-only gas pump keyboard? In contrast to a zip code, the PIN is _actually_ an anti-fraud information tidbit, whereas zip codes are not even secret -- nobody expects anyone to keep _their postal address_ secret from people around them. – hmakholm left over Monica Nov 06 '15 at 10:35
  • @HenningMakholm in the US it's quite rare for a *credit* cardholder to have a PIN set on their card. It's generally only used for cash advances. [Example](http://www.usatoday.com/story/money/personalfinance/2015/10/01/us-shifts-credit-cards-chip-signature-still-do/73145306/): "Unlike debit cards, 'for credit cards today, it’s not common to use a PIN, so most cards in the U.S. are staying the same way, supporting a signature,' or in some cases no card holder verification at all, says Stephanie Ericksen, vice president of risk products for Visa." – gowenfawr Nov 06 '15 at 13:16
3

Another reason would be to cause the person entering the information to be delayed slightly. Anything that adds a few seconds to an amateur thief's activities reduces the chances they will follow through. Also, those extra few seconds increase the chances of getting a good image on camera.

0

Kinda like what Israel said, it can add somewhat of a delay but chances are that your security cams should already be able to pick it up.

Chances are if they know your credit card info, they basically know everything else, probably just a minor protection method.

xFrei
  • 1
  • 2