Viewpoint: Payment Security

Payment security is relevant to all cardholders.  According to the latest EAST research, the majority would contact their bank with an issue.

Most of us use payment cards on a regular basis for online transactions and for transactions at payment terminals.  Having something happen to your card while using a payment terminal can therefore be a great inconvenience.  For example a card can be retained by an ATM – while this might be at the request of your bank, it can it can also be due to fraudulent activity such as card trapping.  Also your card might be compromised at a terminal due to card skimming, or it might be compromised due to a data breach at a third party.

From January to April 2019 EAST ran a poll which asked the question ‘If you had a payment card related issue while using a payment terminal (ATM, POS or UPT) which party would you be most likely to contact?’  The results can be seen in the chart below.

Payment Security

  • The majority of the respondents (80%) would contact their card issuing bank
  • 12% would contact a central fraud line
  • 4% would contact the owner of the payment terminal or the merchant where payment was done
  • 4% would directly contact the police

Viewpoint: Contactless transactions

Contactless transactions are increasingly used as the payment landscape continues to evolve.  Cardholders are enjoying faster payments and the ability to pay how they want, either using a card, or NFC if their smartphone has the required app. The ability to Tap & Go is convenient for both cardholders and retailers. As no PIN is required for a contactless transaction (up to the floor limit allowed in the market), there are risks if a contactless card or NFC enabled device is lost or stolen.

From September to December 2018 EAST ran a poll which asked the question ‘What is most important to you when making a contactless transaction?’  The results can be seen in the chart below.

contactless transactions

  • The majority of the respondents felt that ‘security and speed’ was most important – 41% feeling that a PIN is required for larger transactions over an agreed limit and 28% feeling that a PIN is required only after a user-defined amount limit.
  • 17% felt that speed alone was most important, and that a PIN was not required
  • 8% felt that security was most important and that a PIN should be used for all contactless transactions.
  • 6% chose speed and security, feeling that no PIN should be required when shopping at specified merchants

Viewpoint: PSD2 will revolutionise the payments system

All respondents to an EAST Poll that ran from May to August 2018 felt that the new Payments Service Directive 2 (PSD2) will revolutionise the payments system.  58% felt that it would have an impact on a medium or shortt term basis and 42% felt that the impact would be on a long term basis.

PSD2

PSD2 came into force on 13 January 2018. Banks need to adapt to the required changes that open many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.  The PSD2 aims are to:

  • better protect consumers when they pay online
  • promote the development and use of innovative online and mobile payments such as through open banking
  • make cross-border European payment services safer.

PSD2 is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA).

Message from the Executive Director

Another year is drawing to a close.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the success of EAST this year – as a non-profit organisation on a tight budget we very much depend on the contributions made by our members towards our outputs.

This month we published upgraded Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses – this will benefit the industry and law enforcement agencies globally when working to prevent payment terminal related crime, or in the follow up to specific cases.  This work would not have been possible without the creative input of Ben Birtwistle (NatWest Bank Plc) and Claire Shufflebotham (TMD Security).

We held National Member meetings in Frankfurt in February (our 44th Meeting hosted by EURO Kartensysteme GmbH), in The Hague in June (our 45th Meeting hosted by EC3 at Europol) and in London in October (our 46th Meeting hosted by the LINK Scheme).  The 46th Meeting was immediately followed by a Terminal Fraud Seminar and an ATM Physical Attacks Seminar.  These successful events were organised by our Financial Crime & Security (FCS) Events team and were co-located with RBR’s ATM & Cyber Security Conference 2018 (#ACS18).  These events are planned to be held again in October 2019 and for more information please check our new Events Website which went ‘live’ during the year.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held two meetings in January and September, both hosted by ING in Amsterdam.  EGAF produced  the upgraded Terminal Fraud Definitions and also worked with Europol on an update to the published ‘Guidance and Recommendations to help counter Logical Attacks at ATM’s’.  The updated version will soon be published by Europol.  Law Enforcement participation is from Europol, INTERPOL, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group continues to increase with LEAs fro10 ifferent countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held two meetings in April and November, both hosted by the BPFI in Dublin.  This group has recently produced Payment Fraud Terminology and definitions, used when producing Payment Alerts and other documents. The aim is for this terminology to be adopted globally when describing or reporting payment and transaction fraud.  Law Enforcement participation is from Europol, INTERPOL and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at: a seminar on Fraud in Electronic Payments organised by the Portuguese Judicial Police; Europol’s 5th Strategic Meeting on Payment Card Fraud held in Hanoi, Vietnam; the Europol Training on Payment Card Forensics; by attending Europol’s Cryptocurrency Conference; and most recently by joining Europol’s Advisory Group on Financial Services.

We also presented at the following public and private sector events: the Fourth Annual Latin American Forum on Security in Payment Systems, and the CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (34 sent out this year to date), EAST Physical Attack Alerts (10 sent out this year to date) and most recently EAST Payment Alerts (6 sent out this year to date).  This year the total number of Fraud Alerts published passed 200!

EAST Associate Membership continues to grow.  We now have 202 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan

 

 

Viewpoint: Poll shows majority of payment fraud losses are reimbursed in a week

In a website research poll that ran from September to December 2017, participants who had experienced losses due to payment fraud over the past two years were asked how long it took them to get reimbursed.  77% were reimbursed within a week, with a third getting their money back on the first day, and for 23% reimbursement took up to a month. The full poll results can be seen in the chart below.

payment fraud

Money can only be taken from your bank account if you have authorised the transaction or your bank can prove you were at fault. If you notice a payment out of your bank account that you did not authorise, best advice is to contact your bank immediately. If you are sure you did not authorise a particular payment you can claim a refund.

The current website research poll, which closes at the end of April, is also on Payment Fraud and asks how you felt if you have been contacted by your bank about suspicious transactions, and/or your account was blocked for the same reason.  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

Message from the Executive Director

The end of another busy year is almost upon us.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the continued success of EAST this year – and it has been a very busy year.  In June we changed our name to become the European Association for Secure Transactions, the culmination of many discussions held by our Board and National Members, and positioning EAST to continue to be able to support the needs of our members in the fast changing payments landscape.  The announcement was made at our Third EAST FCS Forum in The Hague.  This well-attended event, the best yet, also featured two new interactive workshops run by EAST EGAF and EAST EGAP.

We held National Member meetings in Oslo in February (our 41st Meeting hosted by Bits AS), in The Hague in June (our 42nd Meeting hosted by Europol) and in Edinburgh in October (our 43rd Meeting hosted by the LINK Scheme).  In January Halo BCA joined EAST as a new National Member for Indonesia and in April Banorte IXE joined EAST as a new National Member for Mexico

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held three meetings in January, May and September, all hosted by ING in Amsterdam.  EGAF updated its guidelines on standardising terminology for locations of Card Data Compromise (CDC) devices at ATMs and also the definitions used to report and classify ATM fraud.  Law Enforcement participation is from Europol, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group is increasing with LEAs from 8 different countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held its first face-to-face meeting in April and its second meeting last month.  Both were hosted by the BPFI in Dublin.  This group will add value to the payments industry by using the unique and extensive EAST National Member platform and Associate Member network to provide information and outputs that are not currently available elsewhere.  Law Enforcement participation is from Europol and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at:  the Europol Training on Payment Card Forensics; an INTERPOL event focussed on countering Cyber and Financial Crimes; Europol’s 4th Strategic Payment Card Fraud meeting in Asia; and Europol’s first combined Strategic Payment Card Fraud Meeting with representatives from Asia-Pacific, Europe and Latin America.

We took part in the 5th Europol-INTERPOL Cybercrime Conference and formalised a relationship with ASEANAPOL, another step forward in addressing the consequences of the spread of the activities of organised criminal groups across regions and globally.

We also presented at the following private sector events: the MasterCard Global Risk Leadership Conference – Europe, the NCR Fraud & Security Summit, the Third Latin America Security Forum, and the General Assembly of Vigie Billet.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (41 sent out this year to date), and EAST ATM Physical Attack Alerts (12 sent out this year to date).  Our first Payment Alert is expected to be published shortly.

EAST Associate Membership continues to grow.  We now have 192 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan

 

Viewpoint: Poll indicates malware and black box attacks are biggest fraud risk to the ATM channel

In a website research poll that ran from May to August 2017 participants were asked how they saw fraud risk developing for ATMs. 67% of respondents felt that malware and black box attacks were the biggest risk, 20% went for card skimming, 7% chose social engineering, and cash trapping and card trapping were each chosen by 3%. The poll results can be seen in the chart below.

black box

This poll result is in line with EAST’s published European ATM fraud statistics, with reports that date back to 2004.  Over the past thirteen years we have seen fraud trends change, particularly since the EMV (Chip and PIN) roll out commenced.  Most recently we have seen an increase in black box attacks, as highlighted in an ATM Crime Report published by EAST in April 2017 and covering the full year 2016.

The current website research poll, which closes at the end of December, is on Payment Fraud and asks if you have experienced losses due to payment fraud over the past two years, how long did it take to get reimbursed?  To take it, and to see all past results, visit the Payment and Terminal Research page on this website.

Viewpoint: Has your payment card been compromised and , if so, where?

In a website research poll that ran from January to April 2017 cardholders who had had a payment card compromised were asked if they knew where the compromise took place. 33% of respondents answered ‘during an online transaction’, 14% ‘at an ATM’, 14% ‘at a petrol (gas) station’ ,10% ‘due to a data breach’. and 5% ‘at a merchant terminal’.  24% did not know where the compromise took place. The poll results can be seen in the chart below.

 

How safe you feel as a cardholder when making a card-based payment transaction is of paramount concern to the industry.  The EAST Payments Task Force (EPTF) is focusing on payment research.

The current website research poll, which closes at the end of August is on ATM fraud and asks what you feel is the biggest fraud risk to the ATM channel over the next few years?  To take it, and to see all past results, visit the ATM Research Page on this website.

Viewpoint: What is the highest risk for card-based payment transactions?

In a website research poll that ran from September to December 2016 cardholders were asked, in a card present scenario, which type of transaction they felt is least secure.  31% of respondents answered ‘using an ATM’, 29% ‘using a mobile phone’, 26% ‘using a retail payment terminal’ and 14% ‘using contactless technology’.  The poll results can be seen in the chart below.

Most people make card-based payment transactions on a regular basis.  When doing so trust in the security of the transaction is vital.  The industry consistently works to ensure that this trust is not-misplaced by monitoring transactions and by putting effective security measures in place.

That being said criminals continue to work at finding weak points in current security measures and in developing new ways to fraudulently obtain cash.  This results in ‘technology chase’ as both sides react to the actions of the other.

How safe you feel as a cardholder when making a card-based payment transaction is of paramount concern to the industry.  The EAST Payments Task Force (EPTF) is currently focusing on payment research.

The current website research poll, which closes at the end of April, is also on payment security and asks those who have had a payment card compromised for information on where the compromise took place.  To take it, and to see all past results, visit the ATM Research Page on this website.