Preventing Physical ATM Attacks – advice in all EU Languages

physical ATM attacksTo counter the increase in physical ATM attacks in Europe, affecting an increasing number of European countries, the European Crime Prevention Network (EUCPN) and Europol organised a conference (January 2019) bringing together law enforcement and public and private partners to look at the prevention of this crime. EAST was represented at the event by Executive Director Lachlan Gunn.  The output was a recommendation paper summarising the conclusions of the conference and aimed at raising authorities’ awareness of physical ATM attacks and preventive measures.

This recommendation paper has now been translated into all the EU languages and is available for download from the EUCPN website.

In the most recent European Payment Terminal Crime Report published by EAST on 13 October 2020, and covering the first 6 months of this year, ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to physical ATM attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

Black Box attacks increase across Europe

Black BoxEAST has just published a European Payment Terminal Crime Report covering the first six months of 2020 which reports a sharp increase in Black Box attacks on European ATMs.

ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks. A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, in order to ‘cash-out’ or ‘jackpot’ the ATM. Related losses were up from less than €1,000, to just over €1 million.

EAST Executive Director Lachlan Gunn said, “Overall crime at terminals has decreased during the lockdown phase of the pandemic. While this rise in Black Box attacks is of concern, most such attacks remain unsuccessful. Our Expert Group on All Terminal Fraud (EGAF) is focussed on addressing this issue, with close cooperation between industry partners and law enforcement. In January 2019 EGAF worked with Europol to update a document, published by Europol, entitled ‘Guidance & recommendations regarding logical attacks on ATMs’. This is currently available in English, French, German, Russian, Spanish and Turkish”.

Terminal related fraud attacks were down 66% (from 10,723 to 3,631 incidents). Card skimming fell to another all-time low (down from 731 to 321 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 97% (down from 3,405 to just 108 incidents). Total losses of €109 million were reported, down 12% from the €124 million reported during the same period in 2019.

ATM related physical attacks were down 23% (from 2,376 to 1,829 incidents). Attacks due to ram raids and ATM burglary were down 34% (from 610 to 405 incidents) and ATM explosive attacks (including explosive gas and solid explosive attacks) were up 0.4% (from 503 to 505 incidents). Losses due to ATM related physical attacks were €12.6 million, an 11% increase from the €11.4 million reported during the same period in 2019. This increase was driven by a rise in losses due to explosive and gas attacks, which were up 49% from €5.1 million to €7.6 million.

A summary of the report statistics under the main headings is in the table below.

The full Crime Report is available to EAST Members (National, Global and Associate)


2nd Interim EAST Meeting – National and Global Members

A second Interim Meeting of EAST National and Global Members took place on Wednesday 7th October 2020. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Rui Carvalho, EAST Development Director.  The 1st EAST Global Congress is now scheduled to be held in February 2021, dependant on the prevailing status of the pandemic.

Law enforcement overviews were provided by EuropolINTERPOL and the Gulf Cooperation Council Police (GCCPOL).  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered the recent publication of their Internet Organised Crime Threat Assessment (IOCTA 2020), focussed on criminal trends relating to Covid-19, and prevention and awareness; the other covered Physical ATM attacks across Europe.  The INTERPOL presentation covered the impact of Covid-19 on Financial crimes from the global perspective and the GCCPOL presentation covered payment and fraud issues seen by their 6 member countries.

Updates were received from 28 countries, either directly or via a global update by HSBC. As with the previous meeting, the key focus remained on the impact of the coronavirus crisis and each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).

EAST Fraud Update 3-2020 will be produced during October, based on the country updates provided at the Interim EAST Meeting. EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

IOCTA 2020 Published by Europol

IOCTA 2020Europol has published its Internet Organised Crime Threat Assessment for 2020 (IOCTA 2020).   This highlights the dynamic and evolving threats from cybercrime and provides a unique law enforcement focused assessment of emerging challenges and key developments in the space.  The data collection for the IOCTA 2020 took place during the lockdown implemented as a result of the COVID-19 pandemic.  Indeed, the pandemic prompted significant change and criminal innovation in the area of cybercrime.  Criminals devised both new modi operandi and adapted existing ones to exploit the situation, new attack vectors and new groups of victims.

So much has changed since Europol published last year’s IOCTA. The global  pandemic forced the reimagination of our societies and the reinvention of the way we work and live.  During the lockdown, people turned to the Internet for a sense of normality: shopping, working and learning online at a scale never seen before.  The IOCTA 2020 seeks to map the evolving cybercrime threat landscape and understand how law enforcement responds to it.  Although the COVID-19 crisis has shown how criminals actively take advantage of society at its most vulnerable, this opportunistic behaviour should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems, some of which are shown below:


  • Social engineering and phishing remain an effective threat to enable other types of cybercrime.  Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.  Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
  • Encryption continues to be a clear feature of an increasing number of services and tools.  One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.  The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.


  • Ransomware attacks have become more sophisticated, targeting specific organisations in the public and private sector through victim reconnaissance.  While the COVID-19 pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis. Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.  Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.


  • SIM swapping, which allows perpetrators to take over accounts, is one of the new trends in IOCTA 2020.  As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.  Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.


  • In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year. Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralised marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year. OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

How ‘Virtual Cards’ Could Mitigate Merchant Fraud Risk

Virtual payment cards being tested in Europe and the United States could help mitigate the risk of merchant fraud, says EAST Development Director Rui Carvalho in an interview with Suparna Goswami of  Rui, who also chairs the EAST Payments Task Force (EPTF), is an industry expert on secure transactions and new approaches to payment security.

A virtual card, also known as electronic card, is a unique 16-digit card number that’s created online solely for a single use between a payer and a payee.  It can help stop merchant fraud, such as when a merchant applies for a merchant account without any intention of actually operating a legitimate business and then processes fraudulent transactions.

‘Virtual cards provide a lot of security because you create your virtual card based on your normal card and the number that is used for a specific merchant is no longer valid’ Rui said in the interview that also covered:

  • Merchant fraud trends;
  • The technologies, including virtual cards, that can mitigate risks;
  • The countries with the highest risks of merchant fraud.

The full interview can be seen on the FraudToday website.

EAST EGAF holds 21st Meeting

The 21st Meeting of the EAST Expert Group on All Terminal Fraud (EGAF) took place on Wednesday 16th September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Otto de Jong of ING Bank.

The meeting was attended by 28 key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors, Law Enforcement and Forensic Analysts.

EAST EGAF, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud (TRF).

Presentations were made by Europol, INTERPOL, Damage Control, Diebold Nixdorf, Group-IB, KAL, Mastercard and NCR.

Experts from the following organisations also contributed to the meeting:  Bits A/S, Cardtronics, Cennox,  Dutch Payments Association, Fiducia & GAD, GMV, NatWest Group, TietoEVRY, TMD Security, TrendMicro.

An increasing number of TRF incidents are being reported and, to help mitigate the risk, EAST EGAF has produced a general Security Alert about the threat, which was ratified by the meeting.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National, Global and Associate). In total 247 EAST Fraud Alerts have been issued, 22 to date in 2020. Since 2013 there have been 15 Fraud Alerts issued relating to TRF.

EAST Publishes TRF Alert

A Security Alert relating to Transaction Reversal Fraud (TRF) has just been published by the EAST Expert Group on All Terminal Fraud (EGAF).

TRF is the unauthorised physical manipulation of an ATM cash withdrawal which makes it appear to the ATM system that cash has not been dispensed despite the criminal gaining access to, and taking the cash. This causes a reversal message to be generated and sent to the card issuing organisation, ultimately resulting in a free cash withdrawal.  Criminals will typically use prepaid cards, or stolen or skimmed cards making it difficult to detect the identity of the perpetrator .

TRF exploits weaknesses in the hardware, application software, or transaction handling at the host.  TRF does not involve a legitimate customer.  A definition of TRF can be found on this website.

Information provided by EAST members, and shared through Alerts and Reports, shows that criminals are increasingly using TRF throughout Europe and in other parts of the world.

This Security Alert, which provides a description of TRF (Key MOs and Typical Execution) along with Guidelines to mitigate the risk, is available to EAST Members (National, Global and Associate).


EAST EGAP holds 14th Meeting

The 14th Meeting of the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) took place on Wednesday 2nd September 2020.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Graham Mott of  the LINK Scheme.

The meeting was attended by 40 key representatives from Law Enforcement, Terminal Deployers, ATM Networks and Security Equipment Vendors.

  • Europol gave a central assessment of the ATM physical attack situation in Europe.
  • The ECB gave an update on the latest developments of its Intelligent Banknote Neutralisation (IBNS) Policy.
  • National Threat Assessments were shared by representatives from 15 countries:
CountryUpdate(s) Given By
AustriaPayment Services Austria (PSA)
CroatiaMUP - Ministry of the Interior
FranceGendarmerie - OCLDI
IrelandAn Garda Siochana
LuxembourgService de Police Judiciare
NetherlandsNational Police, ING Bank
PortugalPolicia Judiciare, Policia de Seguranca Publica
South AfricaSABRIC
SpainSpanish National Police, Guardia Civil, Autonomous Police of Catalonia
SwitzerlandFederal Office of Police (FEDPOL)
United KingdomSaferCash/West Midlands Police (ROCU)

Experts from the following organisations also contributed to the meeting:  ATM Safe, Barclays, Cennox, Diebold Nixdorf, Feerica S.A., HSBC, NCR, Oberthur Cash Protection, Professional Witnesses Group, Scotia Security Group, Spinnaker, TMD Security.

EAST EGAP is a European specialist expert forum for discussion of ATM and ATS related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices. The latest lists can be downloaded from the ‘Stained Banknotes’ page on this website (bottom of page).

The Group meets twice each year to enable in-depth and technical discussion to take place. The areas covered include:

  • The latest incidents and criminal MOs
  • The collection and distribution of best practice guidelines
  • The evolution of threats and counter-measures
  • Lessons from and on law enforcement

EAST Publishes Central/Host Fraud Definitions

Central/Host FraudEAST has published new Central/Host Fraud Definitions, produced by the EAST Expert Group on All Terminal Fraud (EGAF).  Central/Host Fraud Definitions cover attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.

The compromise of a corporate network is the first step with these types of incidents. This can be done by external attackers as well as by internal employees of the institution. The document provides an explanation of how a Corporate Network Attack is prepared and how attackers typically try to get access to this critical infrastructure, enabling the three different Modus Operandi:

  • Card Processing – Control of a financial institution’s card processing infrastructure leading to illegitimate ATM withdrawals using genuine transactions from an ATM perspective. This is also known as ‘Unlimited Operations / Cash Outs’.
  • Fund Transfer – Control of a financial institution’s fund transfer infrastructure leading to illegal funds transfer using SWIFT/electronic banking.
  • Remote Malware Distribution and Control – Control of a financial institutions network leading to illegitimate file distribution in order to install and execute ATM specific malware. The different malware Modus Operandi actually used within the attack can be Jackpotting, Man-in-the-Middle (MITM) and SW-Skimming (see EAST Terminal Fraud Definitions).

The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment and terminal fraud.

EAST EGAF has also produced Terminal Fraud Definitions which cover onsite attacks against endpoints, not limited to but mainly focusing on ATM related attacks. These definitions describe Card Skimming, Card Trapping, Card Shimming, Eavesdropping, Cash Trapping, Transaction Reversal Fraud (TRF), Malware and Black Box attacks.

All definitions fit under the overall Fraud Definitions published by EAST, and are the basis of a new template used by EAST National and Global Members when preparing Country Updates for EAST Global Congress Meetings.  This template was first used at the EAST Interim Meeting held on 10th June 2020, which resulted in the publication of EAST Fraud Update 2-2020.

Countering the ransomware threat

The risks of becoming a victim of a ransomware attack continue to increase as criminals exploit organisational vulnerabilities and typically use spear-phishing emails to target potential victims.  According to Europol cases have been rising alarmingly in the past few months and have brought critical activities such as hospitals and governments to a standstill.

Garmin was a recent victim of a cyber attack that encrypted some of their systems. The alleged ransomware attack is thought to be the work of ‘Evil Corp’, a group of Russian hackers that allegedly mainly targets US corporations.  Garmin services started to go offline on Thursday 23 July 2020 and many of the most popular services, including Garmin Connect and most of the Strava integrations, were unavailable to users over the weekend period.  According to Garmin ‘Affected systems are being restored and we expect to return to normal operation over the next few days.’

To counter ransomware a free scheme called No More Ransom is helping victims fight back without paying the hackers. Since its launch four years ago the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries and has stopped an estimated $632 million in ransom demands from ending up in criminals’ pockets.

Powered by the contributions of its 163 partners, the portal has added 28 tools in the past year and can now decrypt 140 different types of ransomware infections. The portal is available in 36 languages.  All the key figures can be seen in Europol’s dedicated infographic.

How No More Ransom works

No More Ransom is the first public-private partnership of its kind helping victims of ransomware recover their encrypted data without having to pay the ransom amount to cybercriminals.

To do this, simply go to the website and follow the Crypto Sheriff steps to help identify the ransomware strain affecting the device. If a solution is available, a link will be provided to download for free the decryption tool.

Prevention remains the best cure

No More Ransom goes a long way to help people impacted by ransomware, but there are still many types of ransomware out there without a fix. Fortunately, there are some preventative steps you can take to protect yourself from ransomware:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive offline, on a memory stick, or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Do not download programs from suspicious sources.
  • Do not open attachments in e-mails from unknown senders, even if they look important and credible.
  • And if you are a victim, do not pay the ransom!

Do you have an innovative solution for ransomware families not covered yet in the portal to help victims recover their files without giving into the demands of the criminals? If so then Europol would like to hear from you.

What is Ransomware?

The EAST Payments Task Force (EPTF) defines ransomware as ‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’  It is a form of data compromise.  An overview of all EAST Fraud Definitions can be seen here.

Tips and Advice From Europol