2019 EAST FCS Seminars – Save The Date!

The 2019 EAST Financial Crime & Security (FCS) Seminars will be held on Wednesday 9th October 2019, at the Park Plaza, Victoria, London, UK.  Save the date!  Register now to get the Early Bird Registration Rate and save £100 on the Standard Registration Rate! (see current 2019 prices here)

Early Registration deadline – Monday 19th August 2019

Two concurrent seminars will be held:

To view last year’s EAST FCS programme and speakers or to check the venue details please visit our events website: www.east-events.org

These events will be co-located with RBR’s ATM & Cyber Security 2019 event, although separate registration is required.

FCS Seminars

47th EAST Meeting hosted by SIBS in Lisbon

The 47th Meeting of EAST National Members was hosted by SIBS at the SANA Metropolitan Hotel in Lisbon on 6th February 2019. National country crime updates were provided by 21 countries, and a global update by HSBC.  Topics covered included payment fraud and the evolution of payment technology, ATM malware and logical attacks, terminal related fraud attacks and ATM related physical attacks.

Presentations were also given by the EAST Payments Task Force (EPTF) and the EAST Expert Group on All Terminal Fraud (EGAF).  An update was given by the EAST Expert Group on ATM and ATS Physical Attacks (EGAP).

EAST Fraud Update 1-2019 will be produced later this month, based on the national country crime updates provided at the meeting.  EAST Fraud Updates are available on the EAST Website to EAST Members.

EAST presents at EUCPN / Europol Conference on Prevention of ATM Physical Attacks

EAST Executive Director Lachlan Gunn, representing the EAST Expert Group on ATM and ATS Physical Attacks (EAST EGAP), presented at a conference on the prevention of ATM physical attacks co-organised by the European Crime Prevention Network (EUCPN) and Europol.  The event, attended by experts from law enforcement and the private sector, was held in Brussels on 22/23 January 2019.

ATM Physical AttacksThe focus of the conference was on the sharing of experiences, insights and best practices with a view to preventing these types of attack on ATMs.  Of particular concern were explosive gas and solid explosive attacks.  An overview of the current situation was built up and then in-depth workshops were held to consider ATM Physical Attack prevention before, during and after an attack.

As a result of the conference the EUCPN and Europol will prepare a paper on the most effective measures that can be used to prevent or deter ATM Physical attacks.

Europol launches new ATM Logical Attack Guidelines at 17th EAST EGAF Meeting

ATM Logical AttackEuropol has published new guidelines to help industry and law enforcement counter the ATM Logical Attack threat.  The document was officially launched at the 17th Meeting of the EAST Expert Group on All Terminal Fraud (EAST EGAF), which took place on Wednesday 16th January 2019 at ING Domestic Bank in Amsterdam.  Production of the document was coordinated by EAST EGAF.  It has three sections:

  1. Description of Modi Operandi
  2. Mitigating the risk of ATM Logical and Malware Attacks, Setting up Lines of Defence
  3. Identifying and responding  to Logical and Malware Attacks

The original Guidelines were published in 2015 when law enforcement and the private sector came together to support the banking and payments industry. That report, the first of its kind, provided vendor-neutral guidance on countermeasures to such attacks, as well as a collection of indicators that could be used to detect when an incident may have occurred.  This new version provides clearer definitions and greater clarity of the criminal methods and techniques encountered in these attacks, and more detailed recommendations on how to mount a robust and effective response to them.

Steven Wilson, Head of Business at Europol’s European Cybercrime Centre (EC3), said “This updated and refocused edition of the report draws upon the expertise of an expanded panel of experts from both law enforcement and the private sector. In addition to the key role played by EAST, I would like to extend my thanks to Diebold Nixdorf, GMV, ING, INTERPOL, NCR, TMD Security and Trend Micro for their invaluable work and contributions, without which this report would not be possible.  I continue to look forward to Europol’s engagement and cooperation with all of our partners within private industry and law enforcement in such endeavours, and our continuing fight against threats affecting the payment industry.”

Circulation of the document is restricted to Law Enforcement and to the banking and payments industry, which includes EAST Members (National and Associate).

17TH EAST EGAF Meeting

The 17th Meeting was chaired by Mr Otto de Jong and was attended by Europol and INTERPOL as well as by key representatives from Terminal Deployers, Terminal Vendors, Networks, Card Schemes, Security Equipment and Software Vendors and Forensic Analysts.

EAST EGAF is a regional expert group that focuses on regional and global payment terminal crime and fraud related issues, threats and counter-measures.  The Group, which meets three times a year in advance of each of the meetings of EAST National Members, enables in-depth and technical discussion to take place on Logical and Malware attacks, Card Skimming, Card Trapping, Cash Trapping and Transaction Reversal Fraud.

In addition EAST EGAF generates EAST Fraud Alerts for all EAST Members (National and Associate). In total 204 EAST Fraud Alerts have been issued, 3 to date in 2019.

EAST EGAF meetings are restricted to working group members and, to provide a wider platform for sharing/discussion, the Group is holding a half-day open seminar in London on 9th October 2019.  Registration for this will soon be open and more information can be found on the EAST Events website.

EAST Upgrades Terminal Fraud Definitions

EAST has upgraded its Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This information is now available on the EAST website.

The EAST Expert Group on All Terminal Fraud (EGAF) has identified six ways by which criminals achieve their targets from the different terminal fraud types as shown below:

In the upgraded Terminal Fraud Definitions each applicable criminal benefit is highlighted next to each terminal fraud type.  The defined Terminal Fraud Types are: Card Skimming; Card Shimming; Eavesdropping; Card Trapping; Cash Trapping; Transaction Reversal Fraud (TRF); Malware; and Black Box.

Below is the definition for Card Skimming which highlights that skimming enables criminals to: Create counterfeit cards; make card-not-present (CNP) purchases; use fake cards in-store; and sell compromised data.

fraud definitions - card skimming

EAST Executive Director Lachlan Gunn said “This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses. The EGAF Chair, Otto de Jong, and his team have produced something fresh and simple which we hope will be adopted globally by the Industry and Law enforcement when describing or reporting terminal fraud. In particular we would like to thank Ben Birtwistle of NatWest Bank plc, along with Claire Shufflebotham and Niek Westendorp of TMD Security, whose creative ideas and design made this latest upgrade possible.”

A summary of the upgraded fraud definitions and terminology is available on the EAST website along with a more detailed document for download.  These have been classified ‘WHITE’ under the terms of the EAST Information Security Policy and may be shared freely, subject to standard copyright rules.

200 Fraud Alerts Issued by EAST

EAST has published its 200th Fraud Alert.  These Alerts are issued by EAST National Members, often with the support of Law Enforcement and other EAST Associate Members.  To date 28 countries have issued Fraud Alerts covering ATMs, Unattended Payment Terminals (UPTs) and Point of Sale (POS) Terminals.

EAST first started issuing Fraud Alerts in September 2013.  These Alerts provide valuable and timely intelligence to law enforcement agencies and the industry, allowing the spread of emerging threats and criminal methodologies to be tracked across the world.  While most of the Alerts have been issued by countries within the Single Euro Payments Area (SEPA), there have been some from Belarus, Mexico, Russia, Serbia, Turkey, Ukraine and the United States.

To date EAST Fraud Alerts issued have covered:  Black Box attacks (cash out / jackpotting); Card Shimming (S1 devices); Card Skimming (highlighting the spread of different devices such as M1, M2, M3, D2 and D3); Card Trapping; Cash Trapping; Deposit Fraud; Eavesdropping (highlighting the use of different MOs such as E2 and E3); EMV Shock Cards; Malware (cash out / jackpotting); Transaction Reversal Fraud; and Vandalism.  The table below shows a summary the Alerts issued:

Fraud Alerts

Definitions of the different fraud types and related terminology are available on this website.

The EAST Expert Group on All Terminal Fraud (EGAF) initiated the Fraud Alerts and conducts in-depth analysis of some of the emerging threats and devices.  Each Alert covers: the type of fraud; the country where discovered; the terminal type(s) affected; an indication as to whether or not the fraud was successful; a description of the device and the criminal MO; indication as to the device location; information on PIN compromise (if card skimming or card trapping); and any available images.

EAST also issues Payment Alerts and Physical Attack Alerts.

EAST Alerts contain sensitive information and are restricted to EAST Members (National and Associate).  They are classified as AMBER using the variant of the Traffic Light Protocol (TLP) adopted by EAST.

EPTF holds Fourth Meeting

EPTFThe Fourth Meeting of the EAST Payments Task Force (EPTF) took place on Thursday 22nd November 2018 at the Banking & Payments Federation Ireland (BPFI) in Dublin.

The EPTF is a specialist task force that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.  The EPTF has recently published Payment Fraud Terminology and Payment Fraud Definitions.  The aim is for the payment fraud terminology, and related payment fraud definitions, to be adopted globally when describing or reporting payment and transaction fraud.

The meeting was chaired by Mr Rui Carvalho, EAST Development Director, and was attended by key representatives from Card Issuers, Law Enforcement, Payment Processors, Payment Providers and Solution Providers.

Presentations or updates were given by BANCOMAT S.p.A, BPFI, Diebold Nixdorf,  EURO Kartensysteme GmbHEuropol, INTERPOL, PayLife, PayPal, Trend Micro, Visa Europe.

The Group, which meets twice a year, adds value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  EAST National Members represent 35 countries and outputs from the group are presented to National Member Meetings.  There are 202 EAST Associate Member Organisations from 52 countries and territories.

EAST Presents at CyberSouth Event

CyberSouthEAST Executive Director Lachlan Gunn presented at a CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud on 13 November 2018 . The event, which ran from 12-14 November 2018, was held at the Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest, Romania and was implemented by the Council of Europe.  The CyberSouth project focuses on cooperation on cybercrime in the Southern Neighbourhood and aims at reinforcing the capacities of specialised units with responsibilities relating to tackling cybercrime and dealing with electronic evidence.

The workshop focused on increasing the knowledge of the participants on the different trends and typologies of online fraud and of electronic payment fraud in order to assist with strengthening the capacity of the criminal justice authorities in the CyberSouth countries to search for, seize, and confiscate the illicit proceeds of cyber-criminals in the target areas.  Cybercrime investigators and prosecutors from the following Southern Neighbourhood priority area countries attended the event: Algeria; Jordan; Lebanon; Morocco; Tunisia.

National representatives were also present from Germany, Israel, Romania and the USA.  Europol and Eurojust were present and the private sector was represented by American Express, BIT Defender and EAST.

The EAST presentation covered the structure and methodology used by EAST to help improve public/private sector cross-border cooperation in the fight against organised cross-border crime, and then shared information on the latest statistics and trends relating to logical (black box) attacks against ATMs, and also on malware used to enable jackpotting (cash out) at ATM locations.  The latest fraud definitions produced by EAST were also shared and it was advised that an updated version of these will soon be available.  These definitions are aimed at helping law enforcement agencies, private sector fraud investigators and other stakeholders to standardise reporting terminology when following up on incidents.

The Cybercrime Programme Office of the Council of Europe (C-PROC), based in Bucharest, is responsible for assisting countries worldwide in the strengthening of their criminal justice capacity to respond to to the challenges posed by cybercrime and electronic evidence on the basis of the standards of the Budapest Convention of Cybercrime.  This is the only binding international instrument on this issue and serves as a guideline for any country developing comprehensive national legislation against Cybercrime and as a framework for international cooperation between State Parties to The Convention on Cybercrime of the Council of Europe (CETS No.185).

 

EAST Publishes European Fraud Update 3-2018

European FraudEAST has published its third European Fraud Update for 2018. This is based on country crime updates given by representatives of 15 countries in the Single Euro Payments Area (SEPA), and 3 non-SEPA countries, at the 46th EAST meeting held in London on 9th October 2018.

Payment fraud issues were reported by fourteen countries. Seven countries reported card-not-present (CNP) as a key fraud driver. One country reported merchant manipulation of settlement files to force through authorisations on POS terminals – once the forced transaction is through on a card the merchant cashes out using it. One country reported malware related to two APT attacks – some Chinese criminals are under observation in connection with them. Another country reported impersonation fraud relating to bill payments – possibly involving collusive postal workers. To date in 2018 the EAST Payments Task Force (EPTF) has published six Payment Alerts covering phishing, malware on mobile phones, fraudulent mobile Apps, CNP fraud and Technological fraud. The EPTF has recently published payment terminology and definitions.

ATM malware and logical security attacks were reported by seven countries.  Four of the countries reported ATM related malware and six countries reported the usage (or attempted usage) of ‘black-box’ devices to allow the unauthorised dispensing of cash.  To date in 2018 the EAST Expert Group on All Terminal Fraud (EGAF) has published eleven related Fraud Alerts.

Card skimming at ATMs was reported by fourteen countries.  The overall trend is downward, as the recently published EAST European Payment Terminal Crime Report covering January to June 2018 highlights.  The usage of M3 – Card Reader Internal Skimming devices was reported by four countries and one country reported the use of M2 – Throat Inlay Skimming Devices.  Skimming attacks on other terminal types were reported by five countries, three of which reported such attacks on unattended payment terminals (UPTs) at petrol stations.  One country reported that a series of shimming devices at POS terminals had been detected and taken down.  To date in 2018 EAST EGAF has published twelve related Fraud Alerts.

Year to date International skimming related losses were reported in 44 countries and territories outside SEPA and in 6 within SEPA.  The top three locations where such losses were reported remain Indonesia, the USA and India.

Six countries reported incidents of Transaction Reversal Fraud (TRF), one of which reported a new attack variant where the criminals use a ‘chip-on-a-strip’.  To date in 2018 EAST EGAF has published five related Fraud Alerts.

Ram raids and ATM burglary were reported by eight countries and eight countries reported explosive gas attacks, one of which reported that two people had been sent to hospital due to related smoke inhalation.  Five countries reported solid explosive attacks.  The spread of such attacks has long been of great concern to the industry due to the risk to life and to the significant amount of collateral damage to equipment and buildings.  One such attack resulted in the death of a person, the first time that this has been reported.  To date in 2018 the EAST Expert Group on ATM & ATS Physical Attacks (EGAP) has published seven related Physical Attack Alerts.

The full Fraud Update is available to EAST Members (National and Associate).

EAST Presents at ATEFI Forum on Security in Payment Systems

payment systemsEAST Development Director Rui Carvalho (pictured second from the right with Cristian Patti, Fernanda Romero and Oscar Castellano of ATEFI) presented an overview of Terminal Related Fraud and Transaction Fraud in Europe at the fourth Annual Latin American Forum on Security in Payment Systems, held on 24th / 25th October 2018 in Buenos Aires, Argentina.

The event was organised by ATEFI in order to raise awareness of payment-related crime in Latin America.  It focused on physical attacks and cyber threats to electronic payment systems in the region.  Over 180 people attended from:

  • Ministry of Security of the Province of Buenos Aires
  • Argentine Federal Police
  • AMERIPOL
  • Argentine Federal Administration of Public Revenues (AFIP)
  • Central Bank of the Argentine Republic (BCRA)
  • Compensating Chamber of the Argentine Republic (COELSA)
  • Office of the Prosecutor of the Government of the Province of Buenos Aires
  • Ministry of the Interior of Uruguay
  • European Association for Secure Transactions (EAST)
  • 12 ATEFI Member Networks from 10 regional countries: Brazil, Chile, Uruguay, Paraguay, Panama, Honduras, Guatemala, Ecuador, Colombia, Argentina
  • 22 Banks
  • Association of Banks of Argentina
  • Payment Card Schemes
  • Specialist Media Representatives

ATEFI is the Latin American Association of Operators Electronic Funds Transfer and Information Services and represents 20 ATM networks in 14 countries throughout Latin America.

In May 2016 EAST and ATEFI joined forces in order to further strengthen cross border cooperation in combating all types of payment crime including payment card fraud, hi-tech crime and ATM cyber and physical attacks.