EAST Poll indicates consumer confidence in NFC payment transactions

Respondents to an online poll run by EAST from September to December 2020 indicated that they were either ‘completely satisfied’ (67%) or ‘satisfied’ (33%) that their payment details are safe when making an NFC payment transaction using a smartphone.

The current number of smartphone users in the world today is 3.5 billion, which means 44.81% of the world’s population owns a smartphone.

Banks and retailers are using the facility to reach their customers and see smartphones as an opportunity to make the consumer payment experience a convenient and seamless one.

Consumers can use Near-Field-Communication (NFC) technology on their smartphone to make contactless payments in stores and to pay for goods and services using in-app payment tools. During the Covid-19 pandemic the limit for a contactless transaction has been lifted in many countries and now averages €50 across the European area.

In making payments easier to manage and more accessible for consumers, there is an underlying risk that access to that information is also made easier for the criminal element, aiming to capture the payment data used by unsuspecting consumers.

While the industry continues to build solutions and barriers to this criminal activity the EAST Payment Task Force (PTF) is examining consumer behaviour and focussing on the security of smartphones used to make NFC payments for goods and services.  On 5th January 2021 an EAST Payment Alert was issued – it covers social engineering used to get financial institution clients to install software that is infected with the Anubis malware on their smartphone.  EAST Alerts and Reports are available to EAST Members.

Message From The Executive Director

What a year it has been!  The major impact of the Covid-19 pandemic for EAST has been that our platforms have had to meet virtually since March.  On behalf of the EAST Board, I would like to thank all those who have worked so hard to provide information, time, and resources to help us to meet our targets and objectives during the year.  Otto de Jong, EAST Founder Member and EGAF Chair, and Martine Hemmerijckx, EAST Co-Founder and Director, were presented with awards in recognition of their ongoing commitment and dedication to the development of EAST, and to their significant contribution to security in the payments industry.

We held our 50th National Member meeting in Vienna in February (hosted by PSA), and then the plan was to hold our first Global Congress in The Hague in June.  Instead we held a virtual meeting for our National and Global Members (our 1st Interim Meeting), which was followed by a second virtual meeting in October (our 2nd Interim Meeting).  On current plans our 3rd Interim Meeting will be held in February 2021, and we hope to be able to hold our 1st Global Congress in The Hague in June 2021.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong of ING Bank, held three meetings in January, May and September, the first hosted by ING in Amsterdam and the other two as virtual meetings.

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott of the LINK Scheme, held two meetings in March and September, the first in The Hague, hosted by the LINK Scheme, and the second as a virtual meeting.

The EAST Payments Task Force (EPTF), chaired by EAST Development Director Rui Carvalho, held two meetings in April and November, both of which were virtual meetings.

Some other key activities during 2020 were:

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and Fraud Updates.  This year we introduced a new reporting template for our National and Global Members covering: Fraud Type; Fraud Origin; Due Diligence; and Physical Attacks.  This enabled us to reformat our Fraud Update and the first one with the new look was published in July 2020.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (31 sent out this year to date), EAST Physical Attack Alerts (7 sent out this year to date) and EAST Payment Alerts (5 sent out this year to date).  EAST EGAF also published a general Security Alert relating to Transaction Reversal Fraud (TRF).

This year we launched our new Global Membership category to enhance our intelligence capabilities and to reflect the fact that organised criminal groups are increasingly global in operation.  Global Members attend and receive outputs from EAST Interim Meetings and EAST Global Congress Meetings.

We now have 209 Associate Member organisations from 53 countries and territories. This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Here’s hoping that the new year allows us to return to holding in-person meetings and events.  We are planning to commence ‘Hybrid Meetings’ from April next year, but this is of course dependant on many factors outwith our control.

Every best wish to all readers for a wonderful festive break and a very happy New Year.  And of course, Stay Safe!

Kind regards

Lachlan

Viewpoint: Covid-19, Cash, and the future of payments

Covid-19 (coronavirus) has had a huge impact on our lives and what was perceived to be normal before the pandemic, may now no longer be so as we come to terms with the long-term implications. One factor is how we treat cash.  Before the pandemic started cash usage was declining in many countries, but the demise of cash was still predicted to be many years away – people still liked to use it because cash transactions are generally invisible and also because it is a familiar and trusted payment mechanism. Older people, who often do not have the same digital footprint as younger generations, also prefer it.

During the Covid-19 pandemic cash usage has plummeted in many countries, partly because of fears of that Covid-19 can be transmitted by cash, and partly because people have been locked-down at home and only going out to shop for essential items. Scientific evidence suggests that the probability of viral transmission via banknotes is low when compared with other frequently touched objects, such as credit card terminals or PIN pads. There may also be a perceived risk of contagion when using cash or non-contactless payment mechanisms due to proximity to another person.

However this pandemic could speed up the shift towards digital payments, which could open a divide in access to payments instruments, and that could have a negative impact on the unbanked and older consumers. Some central banks are urging continued acceptance.

From May to August 2020 EAST ran a poll on this topic, for which the results can be seen in the chart below:

  • The majority of the respondents (50%) would use contactless payments whenever possible
  • 25% are using a mix of payment mechanisms but prefer not to use cash unless they have to
  • 9% are still mainly using cash
  • 8% are using a mix of payment mechanisms but are happy to use cash whenever they need to
  • 8% have not used cash and don’t plan to

Corporate Network Attacks

Corporate Network AttacksIn August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal.  These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).

The compromise of a corporate network is the first step with these types of incidents.  This can be done by external attackers as well as by internal employees of the institution.  Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.

  • Card Processing
  • Fund Transfer
  • Remote Malware Distribution and Control

The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware.  The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming.  These are described in EAST’s Terminal Fraud Definitions.

In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.

EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.

Lachlan Gunn:  Thank you both for agreeing to speak today on this key issue.

Why did EAST produce Central/Host Fraud Definitions?

Otto de Jong:  It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting.  This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes.  The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud.  The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.

Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?

Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

Otto de Jong:  This is indeed timely.  The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat.  ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.

What businesses are at risk of this devious attack?

Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.

Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on.   This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).

What are some detection best practices to detect these threats before they can cause damage?

Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools

Otto de Jong: Monitoring systems can also be compromised.  Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.

What are some prevention best practices to stop this attack from happening in the first place?

Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS

Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system.  This should be evaluated on an annual basis.  Performing penetration tests annually by independent assessors must be part of such an assessment.

Lachlan Gunn:  That concludes the Q&A session.  Many thanks again to you both.  Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.

Viewpoint: Biometric ATMs

Would you use a biometric solution to authorise an ATM transaction?  According to the latest EAST research poll the majority would now use such technology, but for many this would only be after a full explanation as to how their personal data would be controlled.

Biometric ATMs are well established in Japan, where tens of thousands are in operation, and their usage is spreading in other countries – banks in Hong Kong, Qatar, Poland, South Africa and Taiwan are also deploying the technology. A common system is ‘finger vein’ identification technology. The transaction is authorised by a finger scan, rather than by entering a PIN. The finger vein technology maps the internal vein system within a finger, and will only accept a living finger, meaning that authentication requires the customer to be present in person each and every time.

From September to December 2019 EAST ran a poll on this topic for which he results can be seen in the chart below.

 

  • The majority of the respondents (53%) would only use such technology after full explanation as to how their personal data will be held and controlled
  • 26% would be happy to use such technology in place of their PIN
  • 21% would not use such technology due to concerns about personal data privacy

This is a significant change from a similar poll on Biometric ATMs that EAST ran in 2010, when 50% of the respondents said that they would not use such technology due to concerns about personal data privacy, 27% were happy to use such technology, and 23% would only use such technology after full explanation as to how their personal data will be held and controlled.

 

Viewpoint: Payment Security

Payment security is relevant to all cardholders.  According to the latest EAST research, the majority would contact their bank with an issue.

Most of us use payment cards on a regular basis for online transactions and for transactions at payment terminals.  Having something happen to your card while using a payment terminal can therefore be a great inconvenience.  For example a card can be retained by an ATM – while this might be at the request of your bank, it can it can also be due to fraudulent activity such as card trapping.  Also your card might be compromised at a terminal due to card skimming, or it might be compromised due to a data breach at a third party.

From January to April 2019 EAST ran a poll which asked the question ‘If you had a payment card related issue while using a payment terminal (ATM, POS or UPT) which party would you be most likely to contact?’  The results can be seen in the chart below.

Payment Security

  • The majority of the respondents (80%) would contact their card issuing bank
  • 12% would contact a central fraud line
  • 4% would contact the owner of the payment terminal or the merchant where payment was done
  • 4% would directly contact the police

Viewpoint: Contactless transactions

Contactless transactions are increasingly used as the payment landscape continues to evolve.  Cardholders are enjoying faster payments and the ability to pay how they want, either using a card, or NFC if their smartphone has the required app. The ability to Tap & Go is convenient for both cardholders and retailers. As no PIN is required for a contactless transaction (up to the floor limit allowed in the market), there are risks if a contactless card or NFC enabled device is lost or stolen.

From September to December 2018 EAST ran a poll which asked the question ‘What is most important to you when making a contactless transaction?’  The results can be seen in the chart below.

contactless transactions

  • The majority of the respondents felt that ‘security and speed’ was most important – 41% feeling that a PIN is required for larger transactions over an agreed limit and 28% feeling that a PIN is required only after a user-defined amount limit.
  • 17% felt that speed alone was most important, and that a PIN was not required
  • 8% felt that security was most important and that a PIN should be used for all contactless transactions.
  • 6% chose speed and security, feeling that no PIN should be required when shopping at specified merchants

Viewpoint: PSD2 will revolutionise the payments system

All respondents to an EAST Poll that ran from May to August 2018 felt that the new Payments Service Directive 2 (PSD2) will revolutionise the payments system.  58% felt that it would have an impact on a medium or shortt term basis and 42% felt that the impact would be on a long term basis.

PSD2

PSD2 came into force on 13 January 2018. Banks need to adapt to the required changes that open many technical challenges, but also many strategic opportunities, such as collaborating with fintech providers, for the future.  The PSD2 aims are to:

  • better protect consumers when they pay online
  • promote the development and use of innovative online and mobile payments such as through open banking
  • make cross-border European payment services safer.

PSD2 is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA).

Message from the Executive Director

Another year is drawing to a close.  On behalf of the EAST Board I would like to thank everyone who has contributed towards the success of EAST this year – as a non-profit organisation on a tight budget we very much depend on the contributions made by our members towards our outputs.

This month we published upgraded Terminal Fraud Definitions to illustrate what the criminal target outcome is for each fraud type.  This is a major step forward in standardising the classification of terminal fraud, which will hopefully help to continue to drive down related fraud losses – this will benefit the industry and law enforcement agencies globally when working to prevent payment terminal related crime, or in the follow up to specific cases.  This work would not have been possible without the creative input of Ben Birtwistle (NatWest Bank Plc) and Claire Shufflebotham (TMD Security).

We held National Member meetings in Frankfurt in February (our 44th Meeting hosted by EURO Kartensysteme GmbH), in The Hague in June (our 45th Meeting hosted by EC3 at Europol) and in London in October (our 46th Meeting hosted by the LINK Scheme).  The 46th Meeting was immediately followed by a Terminal Fraud Seminar and an ATM Physical Attacks Seminar.  These successful events were organised by our Financial Crime & Security (FCS) Events team and were co-located with RBR’s ATM & Cyber Security Conference 2018 (#ACS18).  These events are planned to be held again in October 2019 and for more information please check our new Events Website which went ‘live’ during the year.

The EAST Expert Group on All Terminal Fraud (EGAF), chaired by Otto de Jong, held two meetings in January and September, both hosted by ING in Amsterdam.  EGAF produced  the upgraded Terminal Fraud Definitions and also worked with Europol on an update to the published ‘Guidance and Recommendations to help counter Logical Attacks at ATM’s’.  The updated version will soon be published by Europol.  Law Enforcement participation is from Europol, INTERPOL, the US Secret Service, the BKA and the French Gendarmerie (IRCGN).

The EAST Expert Group on ATM and ATS Physical Attacks (EGAP), chaired by Graham Mott, held two meetings in March and September, both in The Hague, one hosted by Europol and the other by the LINK Scheme.  Law Enforcement participation in this group continues to increase with LEAs fro10 ifferent countries participating, in addition to Europol.

The EAST Payments Task Force (EPTF), chaired by Rui Carvalho, held two meetings in April and November, both hosted by the BPFI in Dublin.  This group has recently produced Payment Fraud Terminology and definitions, used when producing Payment Alerts and other documents. The aim is for this terminology to be adopted globally when describing or reporting payment and transaction fraud.  Law Enforcement participation is from Europol, INTERPOL and the US Secret Service.

In addition to the work of the above groups, we supported Law Enforcement during the year by presenting at: a seminar on Fraud in Electronic Payments organised by the Portuguese Judicial Police; Europol’s 5th Strategic Meeting on Payment Card Fraud held in Hanoi, Vietnam; the Europol Training on Payment Card Forensics; by attending Europol’s Cryptocurrency Conference; and most recently by joining Europol’s Advisory Group on Financial Services.

We also presented at the following public and private sector events: the Fourth Annual Latin American Forum on Security in Payment Systems, and the CyberSouth Regional Workshop on Business Email Compromise (CEO Fraud) and Electronic Payment Fraud.

EAST continues to keep abreast of the latest fraud trends and crime information, publishing our European Payment Terminal Crime Reports and European Fraud Updates.  Our thanks again go out to all the people and organisations that have shared information for the above, and for EAST Fraud Alerts (34 sent out this year to date), EAST Physical Attack Alerts (10 sent out this year to date) and most recently EAST Payment Alerts (6 sent out this year to date).  This year the total number of Fraud Alerts published passed 200!

EAST Associate Membership continues to grow.  We now have 202 Associate Member organisations from 52 countries and territories.  This membership category is open for worldwide application to all Banks, Law Enforcement (free membership available), and other approved ATM Stakeholder organisations.

Wherever you are reading this I would like to wish you a wonderful festive break and a very happy New Year!

Kind regards

Lachlan